How to create locally signed SSL certificates with mkcert


If you need to generate quick SSL certificates for test servers and services, mkcert might be the fastest option available. Jack Wallen shows you how to use this handy tool.


Image: GettyImages/Yuichiro Chino

More about cybersecurity

When you deploy websites and services, you almost always depend on SSL certificates to add a layer of assurance to those who connect to those deployments. For anything in production, you’ll be purchasing your SSL certificates from a certificate authority, otherwise, you’re not really giving those users much assurance.

However, for testing purposes, there’s no reason to purchase those certificates from an authority (at least not until you’re ready to move to production). For those instances, I like to generate locally signed certificates. 

There are a few tools available for Linux to create self-signed certificates, one of which is mkcert. 

SEE: Security incident response policy (TechRepublic Premium)

I want to walk you through the process of creating a locally signed certificate with mkcert. I’ll be demonstrating on Ubuntu Server 20.04.

What you’ll need

In order to re-create what I’m about to do, you’ll need a running instance of Ubuntu Server and a user with sudo privileges. That’s it. Let’s get to work.

How to install mkcert

The first thing to do is install mkcert. Before you do that, you need to install a couple of dependencies with the command:

sudo apt-get install wget libnss3-tools -y

Next, download the necessary mkcert file with:


Move and rename the file into /usr/bin with:

sudo mv mkcert-v1.4.3-linux-amd64 /usr/bin/mkcert

Give the file executable permissions with the command:

sudo chmod +x /usr/bin/mkcert

Verify the installation with:

mkcert --version

You should see the release number printed out in the terminal.

How to generate your first SSL

We can now generate our first local CA certificate with the command:

mkcert -install

The above command will generate your new certification, without you needing to input a single bit of information. The certificate will be saved into the local store, which you can locate with the command:

mkcert -CAROOT

You should see something like:


Next, we’ll generate a certificate for a test website we’ll call trtest at IP address with the command:

mkcert trtest localhost ::1

The output of the above command should include:

Created a new certificate valid for the following names 📜 - "trtest" - "localhost" - "" - "::1"

The output will also include the location of the newly created pem file as in:

The certificate is at "./trtest+3.pem" and the key at "./trtest+3-key.pem"

You can then copy that pem file to a directory to be used by your test web server and then configure it to be used. For example, you might move the trtest+3-key.pem file to the /var/www/html/certs/ directory. You’d then configure your web server to use that certificate. For example, with NGINX that configuration line might look like:

ssl_certificate /var/www/html/certs/trtest+3.pem;
ssl_certificate_key /var/www/html/certs/trtest+3-key.pem;

And that’s all there is to generating a locally signed SSL certificate with the mkcert tool. If you need to create those certificates on the fly, mkcert is one of the easiest tools for the task.

Also see