mkcert
mkcert copied to clipboard
FiloSottile
Support firefox on Windows
Hello, i would like to ask about support for FF @ Windows 10 Is any chance / plans for this? Or maybe do you know any "hack" for it ?
These instructions should work for you, courtesy of @gilbertsoft: https://ddev.readthedocs.io/en/stable/#windows-and-firefox-mkcert-install-additional-instructions
Woooow, I can't believe it, but at first glance it works without a problem!
The only thing I had to do differently was choose rootCA.pem instead rootCA-key.pem
I leave this ticket open - maybe it will be helpful to the mkcert author
This looks promising: https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/
I found @mattbrundage that didn't work for me. But I have had luck since FF 64 with enabling this setting instead: https://wiki.mozilla.org/CA/AddRootToFirefox
It has worked for me both with my own manually created certs with OpenSSL and the one I just created with mkcert.
It looks like it should be possible to implement this with the system certutil. If someone with a Windows box could contribute that it would be great.
In the meantime, the two options are adding it manually or enabling system roots in Firefox.
- https://ddev.readthedocs.io/en/stable/#windows-and-firefox-mkcert-install-additional-instructions
- https://wiki.mozilla.org/CA/AddRootToFirefox#Windows_Enterprise_Support
I'm been wanting to help on this for some time. I've been looking through the Mozilla docs for certutil, but not really sure where to start unfortunately. I should be able to circle back to this in a week or two, but any hints to get me started would be very helpful.
Setting security.enterprise_roots.enabled = true in Firefox about:config worked for me, nothing else required. Latest version 100 installed through Windows Store.
@FiloSottile I've implemented a workaround using an embedded version of the certutil binaries on all platforms. Happy to submit a PR if you're ok with that approach. You can see the change here and here. Only real issue I have with this approach currently is cleaning up the temp dir on any error, but I'm ok with letting the binaries get cleaned up later by the user or OS as a worst case.
I'm not @FiloSottile but please submit the PR, as long as you've confirmed it works on all platforms, mac (both architectures), Windows, Linux (arm64/amd64). It would be great not to have to instruct people about this.
@rfay Mac and Windows should be fine but Linux/arm64 might be a little trickier, particularly with varying versions of glibc.
I grabbed a certutil binary for my armv7l raspi but the glibc was incompatible on my box. Might be possible to build the binaries but probably better to depend on system packages for other than the standard case on linux. Thoughts?
Yeah, if you can't solve it on all platforms it won't be a go IMO. Ubuntu arm64 has certutil.... If you're copying the certutil binary from somewhere for each platform and then embedding it I don't think that would be a useful or reliable technique. mkcert needs to be built from source.
Right, it's not compiling at install time. It's pretty easy to solve for Windows but Mac and Linux are a bit more complicated due to shared libs as mentioned earlier, but there it's also somewhat easier to solve since the tool itself would generally be installed via package manager.
Not everybody uses package manager to install mkcert, although I note that it's now in Ubuntu 22.04 packages, not sure how it got there.
I hope this is still open. The certificate appears to be correctly installed and my https://localhost:[PORT] website opens without any warnings, but I still get "This operation is insecure" exception when trying to register a service worker. This is exactly as if I was running it on http instead of https. Is this a matter of trusting the certificate? But it should have displayed a warning otherwise it did at first, before adding the ca to firefox. Can anybody help me out, at least give suggestions about what might be the issue?
