labs / tiddlers / content / labs / lab11 / _Labs_11_Install mkcert CA
<>If you are using the Linux lab desktop machines then you should skip to step 9 --- most of these instructions are about installing mkcert on your own computers --- it has already been installed on the Linux lab machines so skip ahead.
  1. Download a copy of mkcert from:

    • Windows users should download mkcert-v1.4.4-windows-amd64.exe
    • Linux users should download mkcert-v1.4.4-linux-amd64. NOTE: mkcert is already installed on the Linux lab machines --- you don't need to install it yourself.
    • Mac (Intel CPU) should download mkcert-v1.4.4-darwin-amd64
    • Mac (M1 ARM CPU) should download mkcert-v1.4.4-darwin-arm64 from the labs section of Blackboard. We have created a build for your CPU, but we don't have an M1 Mac to test it with. If you do get this working on an M1 then let us know.
  2. Create an mkcert folder in your <> folder. Copy the mkcert file that you downloaded into this folder.

  3. Rename the file that you copied to mkcert to make it easier to type into a terminal since mkcert is a terminal application.

  4. Open the <> folder in a terminal.

  5. Generate and install the CA certificate using the following command.

    Windows Users (via PowerShell)

    $env:CAROOT = pwd; $env:TRUST_STORES = 'system'; .\mkcert.exe -install

    Mac Users

    chmod u+x mkcert
    CAROOT=$(pwd) TRUST_STORES=system ./mkcert -install

    Mac users may need to jump through the usual hoops with the Security & Privacy settings to run the command.

    Linux Users

    chmod u+x mkcert
    CAROOT=$(pwd) TRUST_STORES=system,nss ./mkcert -install

    The chmod command is needed (Mac/Linux only) since the file is not currently executable. This adds the executable mode to the file.

    Leave the terminal window open since we will be using it again very soon.

  6. You should see two new files in the mkcert folder. These are the new CA certificate and the private key for the certificate.

  7. Restart your web browser so that it will pick up the new CA certificate.

  8. You can check if the new CA certificate has been added to your system as follows:


    Run certmgr.msc. You should see the mkcert certificate under <


    Note that Firefox is not currently supported by mkcert under Windows, so you will need to use Chrome (or one of the Chrome derivatives) for the remainder of this exercise.


    ls -l /etc/ssl/certs/mkcert*


    Use the 'Keychain Access' application. Search for mkcert.

  9. You can check that your browser is picking up the CA certificate.ChromeEnter the following into the location bar:
    Look in the <> tab. You should find org-mkcert development CA in the list.VivaldiClick the padlock to the left of the URL in the browser and click <> --- it is likely already selected, but click it again to get to the main security settings. Then click < Manage Certificates > Authorities">>.You should find org-mkcert development CA in the list.FirefoxEnter the following into the location bar:
    Then click the <> tab. You should see an entry that starts with mkcert in the list.<> Note that mkcert does not currently support Firefox on Windows --- use Chrome, or a Chrome derivative if you are a Windows user.