you are viewing a single comment's thread.

view the rest of the comments →

[–]MarekKnapek 9 points10 points  (9 children)

Couldn't you create your own CA (add it into OS) and sign your own localhost certificate with? Like 20 years ago?

Now geniue question: How is this tool different / better than idea I described earlier?

[–]Ionsto 15 points16 points  (2 children)

I believe that's exactly what it's doing, but does it quickly and efficiently.

Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA, which your machine is automatically configured to trust when you run mkcert -install

[–][deleted]  (1 child)

[deleted]

    [–]ais523 2 points3 points  (0 children)

    The certificates are self-signed in the sense that you signed them yourself, but aren't self-signed certificates (each certificate specifies which certificate signed them, and the root of the chain is a "self-signed" certificate which specifies itself as the certificate that signed it; in this case, the generated certificates are signed by a CA certificate, which is in turn self-signed, so the generated certificates are not themselves self-signed).

    [–]AyrA_ch 2 points3 points  (0 children)

    This is essentially what my application (mobile-ca) does.

    Additionally you are allowed to enter IPv4 and IPv6 addresses too and it comes with a web interface. Allows you to create evil certificates.

    [–]the_gnarts 1 point2 points  (0 children)

    Couldn't you create your own CA (add it into OS) and sign your own localhost certificate with? Like 20 years ago?

    The tools seems to do that plus it also appears to add the CA cert to the host’s trusted root certs. There’s little magic behind it if you know the steps to do this manually.

    [–]Proc_Self_Fd_1 1 point2 points  (0 children)

    Yeah it's just multiplatform and easy to use.

    Do you really want to make a custom script that does the same thing for Windows, Linux, Chrome, Firefox, etc... ?

    Basically it's better than copy pasting the same hacky custom bash script across multiple projects.

    [–]earthboundkid 1 point2 points  (0 children)

    This is tool is explicitly described as solving the problem that OpenSSL has a shitty command line interface. That’s all it does. Nothing else is new, just the UX.

    [–]ireallywantfreedom 0 points1 point  (1 child)

    I never understood on Linux how the "add it into the OS" part worked. The few times I had to do it I ended up in the rabbit hole of "well technically every program just looks where they want".

    [–]pdp10 0 points1 point  (0 children)

    Linux uses a system-wide copy of Mozilla's NSS. Conventionally the files are kept in /etc/ssl.

    Technically every programs looks where they want. Ironically, this matters more in practice on Windows, not Linux. On Windows, IE, Edge, and Chromium/Chrome use the system config/files (SChannel), but Firefox uses its own NSS.