mkcert icon indicating copy to clipboard operation
mkcert copied to clipboard

Published 20 hours ago verified publisher icon FiloSottile

Is it pssible to create ONE certificate to be used by all of my local development?

Open Nefcanto opened this issue 3 years ago • 9 comments

I have a lot of websites and web apps. I'm using .local as my development TLD. For example:

  • shop.local
  • user.game.local
  • api.geo.local
  • admin.cars.local
  • investor.brokerage.local
  • ...

This list is not known beforehand, thus I can't use SAN.

But is there possible to create ONE and ONLY ONE general *.* certificate that can be used by all of these local domains?

Nefcanto avatar Jul 16 '21 10:07 Nefcanto

mkcert -h shows you how to create a cert with many domain names, including wildcards.

$ mkcert example.com myapp.dev localhost 127.0.0.1 ::1 Generate "example.com+4.pem" and "example.com+4-key.pem".

Just list all of your domains there.

rfay avatar Jul 16 '21 13:07 rfay

Thank you @rfay for answering.

The point is, I don't know the name of the domains. Thus I can't list them there. Does this command work?

mkcert *.*

Nefcanto avatar Jul 16 '21 13:07 Nefcanto

No, you can't create certs without knowing the names of the domains you're creating the certs for.

I maintain ddev though, that does all this for you on the fly (using mkcert). Maybe that would be an option for you.

But no, you cannot use any tool to create an "Accept-anything" cert. This is about certs and how they work, it's not about mkcert. You'd have to write your own browser and neuter its capabilities to do that. It's called "http" instead of "https".

rfay avatar Jul 16 '21 13:07 rfay

OK, thank you. I understood. There is no possibility for a universal wildcard certificate to be used for development.

This means that I have to automate the certificate creation process somehow so that for each project I won't be required to create a certificate, update the Nginx config file, and create an entry in local DNS.

Nefcanto avatar Jul 16 '21 16:07 Nefcanto

You could try mkcert *.local. That should do a catch-all for everything under .local tld.

minecraftchest1 avatar Aug 24 '21 20:08 minecraftchest1

@minecraftchest1 this is what I got:

Created a new certificate valid for the following names 📜

  • ".local" Warning: many browsers don't support second-level wildcards like ".local" ⚠️

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.local ℹ️

The certificate is at "/Temp/Local/Certificate.pem" and the key at "/Temp/Local/Key.pem" ✅

It will expire on 25 November 2023 🗓

So, this is not practical.

Nefcanto avatar Aug 25 '21 05:08 Nefcanto

This is not doable, you csn close the issue.

gaby avatar Sep 18 '21 13:09 gaby

You could try mkcert *.local. That should do a catch-all for everything under .local tld.

This doesn’t work.

harryqt avatar Aug 04 '22 10:08 harryqt

You can create a cert for *.dev.localhost. It works and should resolve internally.

app1.dev.localhost app2.dev.localhost etc...

will be all covered.

you can use anything else instead dev if you prefer. it is there just to make a 3rd level wildcard (instead a 2nd level one) and get accepted by browsers.

renatofrota avatar Feb 11 '24 07:02 renatofrota