[GH-ISSUE #182] Running mkcert -install as root on Linux doesn't install into the Java trust store #115

New issue

Closed

opened 2026-02-25 22:32:39 +03:00 by kerem · 3 comments

kerem commented

2026-02-25 22:32:39 +03:00

Owner

Originally created by @darioseidl on GitHub (Jul 29, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/182

Probably a user error, but maybe the documentation/output could be improved.

I used mkcert successfully on my local machine, then tried the same on our CI server (Debian stretch) and got:

root@ci:~# export JAVA_HOME="$(dirname $(dirname $(readlink -f $(which java))))"
root@ci:~# echo $JAVA_HOME 
/usr/lib/jvm/java-11-openjdk-amd64
root@ci:~# mkcert -install
Using the local CA at "/root/.local/share/mkcert" ✨
The local CA is now installed in the system trust store! ⚡️

No mention of the java trust store. It would be good if there was some output/warning about what went wrong. It took me a while to figure out that apparently I shouldn't run mkcert as root. Running the same commands as a different user works (and asks for sudo password).

Btw. when running mkdir -install a second time, there is also no mention of the java trust store.

First time:

user@ci:~$ mkcert -install
Using the local CA at "/home/user/.local/share/mkcert" ✨
Installing to the system store is not yet supported on this Linux 😣 but Firefox and/or Chrome/Chromium will still work.
You can also manually install the root certificate at "/home/user/.local/share/mkcert/rootCA.pem".
The local CA is now installed in Java's trust store! ☕️

Second time:

user@ci:~$ mkcert -install
Using the local CA at "/home/user/.local/share/mkcert" ✨
Installing to the system store is not yet supported on this Linux 😣 but Firefox and/or Chrome/Chromium will still work.
You can also manually install the root certificate at "/home/user/.local/share/mkcert/rootCA.pem".

Originally created by @darioseidl on GitHub (Jul 29, 2019). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/182 Probably a user error, but maybe the documentation/output could be improved. I used `mkcert` successfully on my local machine, then tried the same on our CI server (Debian stretch) and got: ``` root@ci:~# export JAVA_HOME="$(dirname $(dirname $(readlink -f $(which java))))" root@ci:~# echo $JAVA_HOME /usr/lib/jvm/java-11-openjdk-amd64 root@ci:~# mkcert -install Using the local CA at "/root/.local/share/mkcert" ✨ The local CA is now installed in the system trust store! ⚡️ ``` No mention of the java trust store. It would be good if there was some output/warning about what went wrong. It took me a while to figure out that apparently I shouldn't run `mkcert` as root. Running the same commands as a different user works (and asks for `sudo` password). Btw. when running `mkdir -install` a second time, there is also no mention of the java trust store. First time: ``` user@ci:~$ mkcert -install Using the local CA at "/home/user/.local/share/mkcert" ✨ Installing to the system store is not yet supported on this Linux 😣 but Firefox and/or Chrome/Chromium will still work. You can also manually install the root certificate at "/home/user/.local/share/mkcert/rootCA.pem". The local CA is now installed in Java's trust store! ☕️ ``` Second time: ``` user@ci:~$ mkcert -install Using the local CA at "/home/user/.local/share/mkcert" ✨ Installing to the system store is not yet supported on this Linux 😣 but Firefox and/or Chrome/Chromium will still work. You can also manually install the root certificate at "/home/user/.local/share/mkcert/rootCA.pem". ```

kerem

2026-02-25 22:32:39 +03:00

closed this issue
added the
waiting for info
label

kerem commented

2026-02-25 22:32:39 +03:00

Author

Owner

@FiloSottile commented on GitHub (Aug 16, 2019):

I think all you are seeing is that -install does not print anything if the certificate is already installed. Otherwise, it's a bug. Can you check with v1.4.1 when it comes out later today? I added "already installed" messages.

BTW, the "not yet supported on this Linux" is #188, fixed now.

@FiloSottile commented on GitHub (Aug 16, 2019): I _think_ all you are seeing is that `-install` does not print anything if the certificate is already installed. Otherwise, it's a bug. Can you check with v1.4.1 when it comes out later today? I added "already installed" messages. BTW, the "not yet supported on this Linux" is #188, fixed now.

kerem commented

2026-02-25 22:32:39 +03:00

Author

Owner

@darioseidl commented on GitHub (Aug 19, 2019):

Thanks, I'll give it a try. v1.4.1 is not out yet, is it?

@darioseidl commented on GitHub (Aug 19, 2019): Thanks, I'll give it a try. v1.4.1 is not out yet, is it?

kerem commented

2026-02-25 22:32:39 +03:00

Author

Owner

@darioseidl commented on GitHub (Jul 7, 2020):

I tried it now with v1.4.1 (sorry for the long delay) and I get a message The local CA is already installed in Java's trust store! 👍, so this is fixed.

@darioseidl commented on GitHub (Jul 7, 2020): I tried it now with v1.4.1 (sorry for the long delay) and I get a message `The local CA is already installed in Java's trust store! 👍`, so this is fixed.