Skip to content

Instantly share code, notes, and snippets.

Last active July 2, 2024 03:58
Show Gist options
  • Save mwidmann/115c2a7059dcce300b61f625d887e5dc to your computer and use it in GitHub Desktop.
Save mwidmann/115c2a7059dcce300b61f625d887e5dc to your computer and use it in GitHub Desktop.
Generating trusted SSL keys for development

Generating SSL keys for development


Thanks to minica it is very easy to create trusted SSL certificates that have a very long expiration date.

In order to get started you have to have the go tools installed and set up correctly in your environment.


Once that is done you should adapt to fit your needs. There should be an entry for each domain you want to create a certificate for and the subdomains must be specified as the certificate is not a wildcard one.

The rm -rf line is here, because minica doesn't overwrite existing certificates.

For example, if your development server needs to listen to the entry for it should be

rm -rf
minica --domains,

After that you can simply run and the certificates will be generated.

Upon run there will be a new folder containing a cert.pem and a key.pem file. Those can be added in the configuration of the webserver.

# the cert files and key location
SSLCertificateFile /etc/apache2/certs/
SSLCertificateKeyFile /etc/apache2/certs/

Change the paths to match the ones specified.

Restaring the webeserver will still show you that the certificates are invalid. That's because the root authority has not yet been trusted.

Trusting minica

In the root folder, right next to file you will find two new files: minica.pem (the certificate) and minica-key.pem (the key). These files contain the Certificate and key to add minica as a Trusted Root Certification Authority on your local machine. Those will need to be added to your local keystore.


The steps on Windows are pretty easily achieved (props to

  1. start mmc.exe as Admin
  2. File > Add/Remove Snap-in...
  3. Look for the Certifactes Snap-in and Add > it
  4. Choose Computer Account when prompted and hit finish
  5. Mark the Trusted Root Certification Authoritiy entry in the tree and right click it. In the context menu choose All Tasks > Import...
  6. Navigate to the folder where minica.pem is located. Don't worry about the file extension, just choose to display all files.
  7. Select minica.pem, choose Open and leave the following options as is.
  8. Look for an entry starting minica root ca in the list.
  9. Restart your browsers.

Your certificates are now trusted.


On Mac it is not much work see here

  1. open Keychain Access
  2. File> import items...
  3. Select minica.pem
  4. Right click on minica root ca choose get info
  5. Open Trust and select Always Trust on When using this certificate
  6. Restart your browsers.

Your certificates are now trusted.

Linux (Debian/Ubuntu)

Also have a look here:


Install the root certifcate on your system

sudo cp minica.pem /usr/local/share/ca-certificates/minica.crt
sudo chmod 644 /usr/local/share/ca-certificates/minica.crt
sudo update-ca-certificates

Verify your system utilities like curl or wget recognize the certificate:

curl -v 2>&1 | grep -i 'minica root'

Browser (Firefox, Chromium,...)

Linux doesn't have a Trustore unlike Mac.

Instead of adding the certificate manually for each application lazy developers use a script.

First install the certutil tool.

sudo apt install libnss3-tools

This scripts finds trust store databases and imports the new root certificate into them.


### Script installs minica.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9

### Requirement: apt install libnss3-tools

### CA file to install (customize!)
### Retrieve Certname: openssl x509 -noout -subject -in minica.pem

certname="minica root ca"

### For cert8 (legacy - DBM)

for certDB in $(find ~/ -name "cert8.db")
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d dbm:${certdir}

### For cert9 (SQL)

for certDB in $(find ~/ -name "cert9.db")
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${certfile} -d sql:${certdir}

Restart your browsers.

Your certificates are now trusted.

rm -rf
minica --domains,,
rm -rf
minica --domains,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment