This blog uses Let's Encrypt + to deploy HTTPS certificates, which has been running stably for a long time. Recently, when doing research related to browser fingerprinting, we found that the local HTTP environment cannot directly call some APIs, which is the Secure Context restriction mentioned in the previous article, this article will introduce a convenient solution to deploy self-signed HTTPS certificates in the local Web environment.

mkcert is a simple tool for making local self-signed HTTPS certificates that is very easy to use and does not even require additional configuration information.

Installing mkcert

Take macOS system as an example, you can install mkcert tool directly through Homebrew.

brew install mkcert

Create and install root certificate for local environment

mkcert -install

The root certificate rootCA-key.pem, rootCA.pem will be installed in ~/Library Application Support/mkcert. This root certificate will be automatically installed on PC systems and browsers by default.

Create HTTPS certificate for domain or IP

mkcert # Create IP certificate
mkcert # Or create a domain certificate

After execution, {ip or domain}-key.pem and {ip or domain}.pem files will be generated in the current directory.

Configure the web server

Using Nginx as an example, add a configuration item to the http or server node of the Nginx configuration file.

listen 443 ssl
ssl_certificate {ip or domain}.pem;
ssl_certificate_key {ip or domain}-key.pem;

Installing root certificate on mobile devices

After the above operation is finished, the root certificate will be installed on PC by default when mkcert -install is finished, PC browser can access local web directly through HTTPS protocol, while for mobile devices you need to install the root certificate first to access normally.

for use on iOS

Access the rootCA.pem file generated by the above process via HTTP protocol on the Safari browser. Follow the system prompts to install the root certificate.

for use on Android

Some Android models can refer to iOS method to install, but some other Android models may not recognize the pem format file. In this case, first download rootCA.pem to your phone file system; open system settings, find the setting item like Security - Credential Management, and choose to install the certificate from storage device.