Create a self-signed SSL certificate and update Keychain Access on MacOS
Easily create a self-signed SSL certificate and update Keychain Access on MacOS using the terminal.
Creating a self-signed SSL certificate and updating Keychain Access on MacOS might be tricky. However, with mkcert this process can be done easily.
How to create a self-signed certificate with the command line?
We’ll use a simple tool called mkcert to make locally trusted development certificates. Here are the steps:
Install mkcert using brew:
brew install mkcert brew install nss # if you use FirefoxGenerate a self-signed certificate for your local domain:
mkcert --install localhost.example.comThis should generate certificates:
./localhost.example.com-client-key.pemand./localhost.example.com-client.pemjohn@MacBook ~ % mkcert --client --install localhost.example.com The local CA is already installed in the system trust store! The local CA is already installed in the Firefox trust store! Created a new certificate valid for the following names - "localhost.example.com" The certificate is at "./localhost.example.com-client.pem" and the key at "./localhost.example.com-client-key.pem" It will expire on 20 July 2025
That’s all.
Verify your certificate
You can verify your certificate with the following command:
openssl x509 -in localhost.example.com-client.pem -text -noout
Updating Nginx configuration
Those who use Nginx may want to update the configuration. Example:
server { listen *:443 ssl http2; root /var/www/example; server_name localhost.example.com; ssl_certificate /path/to/certificate/localhost.example.com-client.pem; ssl_certificate_key /path/to/certificate/localhost.example.com-client-key.pem; }
If Nginx were installed using brew don’t forget to restart Nginx:
brew services restart nginx
Does using mkcert for local development certificates ensure compatibility with all major browsers, including Safari and Firefox on macOS?
Mkcert uses the systems certificate store to install the root certificate, which allows browsers to trust certificates generated by mkcert.
Mkcert is compatible with most major browsers, including Chromium-based browsers (Chromium, Edge, Opera, etc.), Firefox.
For Safari on macOS, mkcert works by installing the root certificate in the system's keychain. Since Safari uses the system's certificate store, mkcert-generated certificates should work seamlessly with Safari.
For Firefox on macOS, you need to configure Firefox to use the system's certificate store. By default, Firefox uses its own certificate store. However, you can configure it to use the system's certificate store by going to
about:config, searching forsecurity.enterprise_roots.enabled, and setting it to true. Once you've done this, mkcert-generated certificates should work with Firefox.In general, mkcert is designed to work with most browsers on macOS, including Safari and Firefox, as long as the root certificate is installed in the system's certificate store and the browser is configured to use it.