starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 05:26:03 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #357] What is the process for installing in WSL2? #234

New issue
Closed
opened 2026-02-25 22:32:55 +03:00 by kerem · 18 comments
kerem commented 2026-02-25 22:32:55 +03:00
Owner
Copy link

Originally created by @cheslijones on GitHub (Mar 20, 2021).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/357

I honestly can't say if the problem is with WSL2, Docker, Kubernetes, Minikube or mkcert, but I'm wondering: what is the installation process is for WSL2? Should it be done Windows side, or should it be done inside WSL2?

I have the same process for my Linux partition and macOS. The deployment works fine those two but not inside of WSL. The deployment is basically the following:

# Download and install mkcert
if [[ `uname` = "Darwin" ]] then
    brew install mkcert
    brew install nss
else
    curl -Lo mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 && \
        sudo install mkcert /usr/local/bin/
fi

# Installing tls certificate
mkcert -install

# Installing tls certificate
mkcert localhost 127.0.0.1 ::1

# Installing cert-manager locally
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml

# Add the certificates to secrets
kubectl create secret tls tls-localhost-dev --key=localhost+2-key.pem --cert=localhost+2.pem -n dev

# Create the tls service that will attach to ingress-nginx
kubectl apply -f k8s/dev/tls.yaml

At the end of this (on macOS and Linux), you should be able to spin-up the application, navigate to localhost and there is a valid TLS certificate.

Doesn't work on WSL2 however and while the error is Kubernetes related:

 Type     Reason         Age                  From          Message
  ----     ------         ----                 ----          -------
  Warning  ErrGetKeyPair  4m30s (x9 over 19m)  cert-manager  Error getting keypair for CA issuer: secret "tls-localhost-dev" not found
  Warning  ErrInitIssuer  4m30s (x9 over 19m)  cert-manager  Error initializing issuer: secret "tls-localhost-dev" not found

(tls-localhost-dev very clearly does exist, btw)...

I can't help but think it is an issue with WSL2 and the mkcert certificates. WSL2 does some weird stuff with networking to say the least.

Should mkcert not be used and certificates not installed directly in WSL2? Should they go into Windows itself?

Originally created by @cheslijones on GitHub (Mar 20, 2021). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/357 I honestly can't say if the problem is with WSL2, Docker, Kubernetes, Minikube or mkcert, but I'm wondering: what is the installation process is for WSL2? Should it be done Windows side, or should it be done inside WSL2? I have the same process for my Linux partition and macOS. The deployment works fine those two but not inside of WSL. The deployment is basically the following: ``` # Download and install mkcert if [[ `uname` = "Darwin" ]] then brew install mkcert brew install nss else curl -Lo mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 && \ sudo install mkcert /usr/local/bin/ fi # Installing tls certificate mkcert -install # Installing tls certificate mkcert localhost 127.0.0.1 ::1 # Installing cert-manager locally kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml # Add the certificates to secrets kubectl create secret tls tls-localhost-dev --key=localhost+2-key.pem --cert=localhost+2.pem -n dev # Create the tls service that will attach to ingress-nginx kubectl apply -f k8s/dev/tls.yaml ``` At the end of this (on macOS and Linux), you should be able to spin-up the application, navigate to `localhost` and there is a valid TLS certificate. Doesn't work on WSL2 however and while the error is Kubernetes related: ``` Type Reason Age From Message ---- ------ ---- ---- ------- Warning ErrGetKeyPair 4m30s (x9 over 19m) cert-manager Error getting keypair for CA issuer: secret "tls-localhost-dev" not found Warning ErrInitIssuer 4m30s (x9 over 19m) cert-manager Error initializing issuer: secret "tls-localhost-dev" not found ``` (`tls-localhost-dev` very clearly does exist, btw)... I can't help but think it is an issue with WSL2 and the `mkcert` certificates. WSL2 does some weird stuff with networking to say the least. Should `mkcert` not be used and certificates not installed directly in WSL2? Should they go into Windows itself?
kerem closed this issue 2026-02-25 22:32:55 +03:00
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@rfay commented on GitHub (Mar 20, 2021):

If you want the windows-side browser to trust something that's in wsl2 you have to do a little bit. I think we have this pretty well dialed in in the instructions for ddev, https://ddev.readthedocs.io/en/latest/#installation-or-upgrade-windows-wsl2

What we do is create the CA on the Windows side and then tell WSL2 to use that one.

<!-- gh-comment-id:803369142 --> @rfay commented on GitHub (Mar 20, 2021): If you want the windows-side browser to trust something that's in wsl2 you have to do a little bit. I think we have this pretty well dialed in in the instructions for ddev, https://ddev.readthedocs.io/en/latest/#installation-or-upgrade-windows-wsl2 What we do is create the CA on the Windows side and then tell WSL2 to use that one.
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@cheslijones commented on GitHub (Mar 21, 2021):

Thanks for the documentation.

Unfortunately, I've been unable to get it mkcert working for my use case and still run into the same issues when it comes to deploying the local dev k8s cluster. Likely going to have to chalk this up to another issue unique to WSL2 (given it works fine in Linux and macOS) and move on.

I'm pretty sure mkcert is doing what it needs to do, so I'll check with the cert-manager devs to see if they might have any ideas.

<!-- gh-comment-id:803606975 --> @cheslijones commented on GitHub (Mar 21, 2021): Thanks for the documentation. Unfortunately, I've been unable to get it `mkcert` working for my use case and still run into the same issues when it comes to deploying the local dev k8s cluster. Likely going to have to chalk this up to another issue unique to WSL2 (given it works fine in Linux and macOS) and move on. I'm pretty sure `mkcert` is doing what it needs to do, so I'll check with the `cert-manager` devs to see if they might have any ideas.
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@cheslijones commented on GitHub (Mar 28, 2021):

Ok, got this figured out with some help:

This is what worked for my use case. Granted, I didn't test it without installing mkcert into WSL, so that step may not be necessary:

  1. Use choco to install mkcert: choco install -y mkcert
  2. In Windows, mkcert -install
  3. WSL install mkcert (again, not 100% sure this is necessary): 
    curl -Lo mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 &&
   sudo install mkcert /usr/local/bin/
  4. In WSL, mkcert -install (again, not 100% sure this is necessary)
  5. In Windows: 
    mkcert localhost 127.0.0.1 ::1
  6. This will generate them in your C:\Users\<user>\ directory by default
  7. Copy them into WSL, which for my use case is the root of my project
  8. Then for my use case I run: 
    kubectl create secret tls tls-localhost-dev --key=localhost+2-key.pem --cert=localhost+2.pem -n dev
  9. For my use case, I then run kubectl apply -f k8s/dev/tls.yaml which contains: 
     apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: letsencrypt-dev-issuer
   namespace: cert-manager
 spec:
   ca:
     secretName: tls-localhost-dev
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: letsencrypt-dev-certificate
   namespace: cert-manager
 spec:
   secretName: tls-localhost-dev
   dnsNames:
     - localhost
   issuerRef:
     name: letsencrypt-dev-issuer
     kind: Issuer

This time after running skaffold dev, and minikube tunnel, my app is running with the TLS certificates like it should be.

<!-- gh-comment-id:808903507 --> @cheslijones commented on GitHub (Mar 28, 2021): Ok, got this figured out with some help: - https://github.com/Microsoft/WSL/issues/3161#issuecomment-451863149 - https://ddev.readthedocs.io/en/latest/#installation-or-upgrade-windows-wsl2 - https://www.haveiplayedbowie.today/blog/posts/secure-localhost-with-mkcert/ This is what worked for my use case. Granted, I didn't test it without installing `mkcert` into WSL, so that step may not be necessary: 1. Use `choco` to install `mkcert`: `choco install -y mkcert` 2. In Windows, `mkcert -install` 3. WSL install `mkcert` (again, not 100% sure this is necessary): ``` curl -Lo mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 && sudo install mkcert /usr/local/bin/ ``` 4. In WSL, `mkcert -install` (again, not 100% sure this is necessary) 5. In Windows: ``` mkcert localhost 127.0.0.1 ::1 ``` 6. This will generate them in your `C:\Users\<user>\` directory by default 7. Copy them into WSL, which for my use case is the root of my project 8. Then for my use case I run: ``` kubectl create secret tls tls-localhost-dev --key=localhost+2-key.pem --cert=localhost+2.pem -n dev ``` 9. For my use case, I then run `kubectl apply -f k8s/dev/tls.yaml` which contains: ``` apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-dev-issuer namespace: cert-manager spec: ca: secretName: tls-localhost-dev --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: letsencrypt-dev-certificate namespace: cert-manager spec: secretName: tls-localhost-dev dnsNames: - localhost issuerRef: name: letsencrypt-dev-issuer kind: Issuer ``` This time after running `skaffold dev`, and `minikube tunnel`, my app is running with the TLS certificates like it should be.
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ronilaukkarinen commented on GitHub (Apr 12, 2021):

I'd also like to know how to get certs to work with Windows development environment. I installed mkcert like this:

 sudo apt update
 sudo apt install linuxbrew-wrapper -y
 brew update
 brew install mkcert

 # Just to make sure it's installed:
 brew install mkcert

 sudo ln -s /home/linuxbrew/.linuxbrew/bin/mkcert /usr/local/bin/mkcert
 sudo chmod +x /usr/local/bin/mkcert

And then got mkcert certificate with:

mkcert site.test

But in the browser it's not valid cert.

Any tips on how to get the cert green here?

<!-- gh-comment-id:817508037 --> @ronilaukkarinen commented on GitHub (Apr 12, 2021): I'd also like to know how to get certs to work with Windows development environment. I installed mkcert like this: ``` shell sudo apt update sudo apt install linuxbrew-wrapper -y brew update brew install mkcert # Just to make sure it's installed: brew install mkcert sudo ln -s /home/linuxbrew/.linuxbrew/bin/mkcert /usr/local/bin/mkcert sudo chmod +x /usr/local/bin/mkcert ``` And then got mkcert certificate with: ``` mkcert site.test ``` But in the browser it's not valid cert. Any tips on how to get the cert green here?
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@siruku6 commented on GitHub (Aug 28, 2022):

I got an error by sudo apt install linuxbrew-wrapper -y on wsl2.
But could resolve by following this article.

Environment

I'm using ubuntu20.04.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal

Error

$ sudo apt update
Hit:1 https://download.docker.com/linux/ubuntu focal InRelease                                                              
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease                                         
Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease               
Hit:4 http://security.ubuntu.com/ubuntu focal-security InRelease             
Hit:5 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
265 packages can be upgraded. Run 'apt list --upgradable' to see them.
$ sudo apt install linuxbrew-wrapper -y
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Unable to locate package linuxbrew-wrapper

Resolution

$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
==> Checking for `sudo` access (which may request your password)...
==> This script will install:
/home/linuxbrew/.linuxbrew/bin/brew
...

$ eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
$ brew -v
Homebrew 3.5.10
Homebrew/homebrew-core (git revision 1416126cc23; last commit 2022-08-28)
$ brew doctor
Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: "config" scripts exist outside your system or Homebrew directories.
`./configure` scripts often look for *-config scripts to determine if
software packages are installed, and which additional flags to use when
compiling and linking.

Having additional scripts in your path can confuse software installed via
Homebrew if the config script overrides a system or Homebrew-provided
script of the same name. We found the following "config" scripts:
  ~/.pyenv/shims/python-config
  ~/.pyenv/shims/python3-config
  ~/.pyenv/shims/python3.9-config
$ brew install mkcert
==> Downloading https://ghcr.io/v2/homebrew/core/mkcert/manifests/1.4.4
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/mkcert/blobs/sha256:f674faa8be61e225ae604b2ffe215927f6ecbc992aac75e769185862820d2881
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:f674faa8be61e225ae604b2ffe215927f6ecbc992aac75e769185862820d2881?se=2022-08-28T02%3A50%3A00Z&sig=kAx
######################################################################## 100.0%
==> Pouring mkcert--1.4.4.x86_64_linux.bottle.tar.gz
🍺  /home/linuxbrew/.linuxbrew/Cellar/mkcert/1.4.4: 6 files, 3.2MB
==> Running `brew cleanup mkcert`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
$ sudo ln -s /home/linuxbrew/.linuxbrew/bin/mkcert /usr/local/bin/mkcert
$ sudo chmod +x /usr/local/bin/mkcert
$ mkcert --version
v1.4.4

And I recommend to set eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" in .bashrc.

<!-- gh-comment-id:1229361730 --> @siruku6 commented on GitHub (Aug 28, 2022): I got an error by `sudo apt install linuxbrew-wrapper -y` on wsl2. But could resolve by following [this article](https://www.how2shout.com/linux/how-to-install-brew-ubuntu-20-04-lts-linux/). # Environment I'm using ubuntu20.04. ```bash $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal ``` # Error ```bash $ sudo apt update Hit:1 https://download.docker.com/linux/ubuntu focal InRelease Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease Hit:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease Hit:4 http://security.ubuntu.com/ubuntu focal-security InRelease Hit:5 http://archive.ubuntu.com/ubuntu focal-backports InRelease Reading package lists... Done Building dependency tree Reading state information... Done 265 packages can be upgraded. Run 'apt list --upgradable' to see them. $ sudo apt install linuxbrew-wrapper -y Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package linuxbrew-wrapper ``` # Resolution ```bash $ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" ==> Checking for `sudo` access (which may request your password)... ==> This script will install: /home/linuxbrew/.linuxbrew/bin/brew ... $ eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" $ brew -v Homebrew 3.5.10 Homebrew/homebrew-core (git revision 1416126cc23; last commit 2022-08-28) $ brew doctor Please note that these warnings are just used to help the Homebrew maintainers with debugging if you file an issue. If everything you use Homebrew for is working fine: please don't worry or file an issue; just ignore this. Thanks! Warning: "config" scripts exist outside your system or Homebrew directories. `./configure` scripts often look for *-config scripts to determine if software packages are installed, and which additional flags to use when compiling and linking. Having additional scripts in your path can confuse software installed via Homebrew if the config script overrides a system or Homebrew-provided script of the same name. We found the following "config" scripts: ~/.pyenv/shims/python-config ~/.pyenv/shims/python3-config ~/.pyenv/shims/python3.9-config $ brew install mkcert ==> Downloading https://ghcr.io/v2/homebrew/core/mkcert/manifests/1.4.4 ######################################################################## 100.0% ==> Downloading https://ghcr.io/v2/homebrew/core/mkcert/blobs/sha256:f674faa8be61e225ae604b2ffe215927f6ecbc992aac75e769185862820d2881 ==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:f674faa8be61e225ae604b2ffe215927f6ecbc992aac75e769185862820d2881?se=2022-08-28T02%3A50%3A00Z&sig=kAx ######################################################################## 100.0% ==> Pouring mkcert--1.4.4.x86_64_linux.bottle.tar.gz 🍺 /home/linuxbrew/.linuxbrew/Cellar/mkcert/1.4.4: 6 files, 3.2MB ==> Running `brew cleanup mkcert`... Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`). $ sudo ln -s /home/linuxbrew/.linuxbrew/bin/mkcert /usr/local/bin/mkcert $ sudo chmod +x /usr/local/bin/mkcert $ mkcert --version v1.4.4 ``` And I recommend to set `eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"` in `.bashrc`.
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ledunguit commented on GitHub (Mar 13, 2023):

For anyone who facing this issue, the steps to use mkcert in the WSL2 to be trusted by window side:

  1. Install mkcert in WSL2 as usual
  2. Run command: mkcert -install from WSL2
  3. Copy the root CA certificate from /usr/local/share/ca-certificates to any directory on Windows, for example I will copy to the D: drive on Windows:
    cp /usr/local/share/ca-certificates/mkcert_development_CA_257563636493456315191321627148517461377.crt /mnt/d/
  4. Double click to open the cert in the D:\mkcert_development_CA_257563636493456315191321627148517461377.crt. Install it to Trusted Root Certification Authorities
    image
  5. Open RUN with command Windows + R and paste certmgr.msc and verify it from the list like in the bottom image
    image
  6. From now, you can use mkcert in the WSL2 environment to create certificates for your site and the cert will be trusted by windows and browser environment.
<!-- gh-comment-id:1466762021 --> @ledunguit commented on GitHub (Mar 13, 2023): For anyone who facing this issue, the steps to use mkcert in the WSL2 to be trusted by window side: 1. Install mkcert in WSL2 as usual 2. Run command: `mkcert -install` from WSL2 4. Copy the root CA certificate from `/usr/local/share/ca-certificates` to any directory on Windows, for example I will copy to the `D:` drive on Windows: `cp /usr/local/share/ca-certificates/mkcert_development_CA_257563636493456315191321627148517461377.crt /mnt/d/` 5. Double click to open the cert in the `D:\mkcert_development_CA_257563636493456315191321627148517461377.crt`. Install it to `Trusted Root Certification Authorities` ![image](https://user-images.githubusercontent.com/64201705/224801846-70e727d0-d588-4b19-8d96-d74022659044.png) 6. Open RUN with command `Windows + R` and paste `certmgr.msc` and verify it from the list like in the bottom image ![image](https://user-images.githubusercontent.com/64201705/224800758-333259a9-d8e0-4ad0-b98b-7f9bb5ae7ffb.png) 7. From now, you can use mkcert in the WSL2 environment to create certificates for your site and the cert will be trusted by windows and browser environment.
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@AlexErrant commented on GitHub (Mar 16, 2023):

@ledunguit's advice worked for me. You may skip the cp step by opening e.g. \\wsl$\Ubuntu-20.04\usr\local\share\ca-certificates in explorer.exe and double-clicking the cert there.

And to be explicit, on step 4, choose the option Place all certificates in the following store
and select Trusted Root Certification Authorities.

<!-- gh-comment-id:1471909333 --> @AlexErrant commented on GitHub (Mar 16, 2023): @ledunguit's advice worked for me. You may skip the `cp` step by opening e.g. `\\wsl$\Ubuntu-20.04\usr\local\share\ca-certificates` in `explorer.exe` and double-clicking the cert there. And to be explicit, on step 4, choose the option `Place all certificates in the following store` and select `Trusted Root Certification Authorities`.
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@shinzoke commented on GitHub (May 29, 2023):

Eugh finally! the 2 comments above me finally created the solution I needed after breaking my head over the certificates I needed for my used case, pretty new to wsl to 😀

<!-- gh-comment-id:1567254339 --> @shinzoke commented on GitHub (May 29, 2023): Eugh finally! the 2 comments above me finally created the solution I needed after breaking my head over the certificates I needed for my used case, pretty new to wsl to 😀
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ToshY commented on GitHub (Nov 28, 2023):

@ledunguit @AlexErrant

I'm on Win 11 22h2 and I don't have a default program to open .pem file created by mkcert -install. What's the "program" that gives the pop-up with the "Install certificate" button?

<!-- gh-comment-id:1830074160 --> @ToshY commented on GitHub (Nov 28, 2023): @ledunguit @AlexErrant I'm on Win 11 22h2 and I don't have a default program to open `.pem` file created by `mkcert -install`. What's the "program" that gives the pop-up with the "Install certificate" button?
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ledunguit commented on GitHub (Nov 28, 2023):

@ToshY Can you please take a screenshot what happened when you double click the cert? I am also using Win 11 22H2 too.

<!-- gh-comment-id:1830157328 --> @ledunguit commented on GitHub (Nov 28, 2023): @ToshY Can you please take a screenshot what happened when you double click the cert? I am also using Win 11 22H2 too.
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ToshY commented on GitHub (Nov 28, 2023):

Hey @ledunguit 👋

Either way when clicking it in explorer from the WSL path, as well as copying the certificate to my C drive, both give the same result.

image

I'm not sure, but it seems that doesn't automatically recognizes the .pem files as certificates that can be installed, and therefore doesn't have a default program to "open" the files?

<!-- gh-comment-id:1830183006 --> @ToshY commented on GitHub (Nov 28, 2023): Hey @ledunguit 👋 Either way when clicking it in explorer from the WSL path, as well as copying the certificate to my C drive, both give the same result. <img width="409" alt="image" src="https://github.com/FiloSottile/mkcert/assets/31921460/0db2e295-e7ad-4b0c-8b1e-a7cdcb938f9a"> I'm not sure, but it seems that doesn't automatically recognizes the `.pem` files as certificates that can be installed, and therefore doesn't have a default program to "open" the files?
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ledunguit commented on GitHub (Nov 28, 2023):

@ToshY Ok, I see. Your certificate is in PEM format, not CRT. You can import the rootCA.pem using various methods. One of them is outlined here: https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate

<!-- gh-comment-id:1830273316 --> @ledunguit commented on GitHub (Nov 28, 2023): @ToshY Ok, I see. Your certificate is in `PEM` format, not `CRT`. You can import the `rootCA.pem` using various methods. One of them is outlined here: https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ToshY commented on GitHub (Nov 28, 2023):

@ledunguit Thanks for the link!

I'm just curious now how did you perform a mkcert -install and get a .crt from it? I don't really see options/docs that show how to achieve that, and from what I can see from the README it also shows rootCA.pem as default output from mkcert -install. 🤔

<!-- gh-comment-id:1830437249 --> @ToshY commented on GitHub (Nov 28, 2023): @ledunguit Thanks for the link! I'm just curious now how did you perform a `mkcert -install` and get a `.crt` from it? I don't really see options/docs that show how to achieve that, and from what I can see from the [README](https://github.com/FiloSottile/mkcert?tab=readme-ov-file#installing-the-ca-on-other-systems) it also shows `rootCA.pem` as default output from `mkcert -install`. 🤔
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@AlexErrant commented on GitHub (Nov 28, 2023):

Looks like it depends on some paths existing and therefore maybe what distro you're on: github.com/FiloSottile/mkcert@2a46726ceb/truststore_linux.go (L36-L48)

I'm on Ubuntu-20.04

<!-- gh-comment-id:1830466821 --> @AlexErrant commented on GitHub (Nov 28, 2023): Looks like it depends on some paths existing and therefore maybe what distro you're on: https://github.com/FiloSottile/mkcert/blob/2a46726cebac0ff4e1f133d90b4e4c42f1edf44a/truststore_linux.go#L36-L48 I'm on Ubuntu-20.04
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ToshY commented on GitHub (Nov 28, 2023):

As mkcert -CAROOT shows for me /home/user/.local/share/mkcert, which contains rootCA.pem and rootCA-key.pem. This is, according to the docs the certificates you should use for installing on other systems.

But now I finally see that both the snippet @AlexErrant shows, as well as the original comment from @ledunguit, show references to /usr/local/share/ca-certificates/ directory, which I also have and contains the mkcert_development_CA_<123456>.crt.

Now I've done a quick sha256sum on both the /home/user/.local/share/mkcert/rootCA.pem and /usr/local/share/ca-certificates/mkcert_development_CA_<123456>.crt, and surprise-surprise, it's the same 🤦‍♂️

This is on me for not reading your suggestions better 😞

What I did find, after trying to open the .crt, is that it uses an application called "Crypto Shell Extensions", but by default it doesn't associate with .pem. So I found this snippet which actually fixes it.

add-pem-as-cert.reg

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.pem]
@="CERFile"
"Content Type"="application/x-x509-ca-cert"

After executing, I can double-click the .pem file, and get the same pop-up to install the certificate 😄

<!-- gh-comment-id:1830542406 --> @ToshY commented on GitHub (Nov 28, 2023): As `mkcert -CAROOT` shows for me `/home/user/.local/share/mkcert`, which contains `rootCA.pem` and `rootCA-key.pem`. This is, according to the docs the certificates you should use for installing on other systems. But now I finally see that both the snippet @AlexErrant shows, as well as the original comment from @ledunguit, show references to `/usr/local/share/ca-certificates/` directory, which I also have and contains the `mkcert_development_CA_<123456>.crt`. Now I've done a quick `sha256sum` on both the `/home/user/.local/share/mkcert/rootCA.pem` and `/usr/local/share/ca-certificates/mkcert_development_CA_<123456>.crt`, and surprise-surprise, it's the same 🤦‍♂️ This is on me for not reading your suggestions better 😞 --- What I did find, after trying to open the `.crt`, is that it uses an application called "Crypto Shell Extensions", but by default it doesn't associate with `.pem`. So I found this [snippet](https://social.technet.microsoft.com/Forums/ie/en-US/b83125dd-5152-4044-9bf2-a1847d4e7d8a/default-program-crypto-shell-extensions) which actually fixes it. `add-pem-as-cert.reg` ```reg Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.pem] @="CERFile" "Content Type"="application/x-x509-ca-cert" ``` After executing, I can double-click the `.pem` file, and get the same pop-up to install the certificate 😄
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@marveloo commented on GitHub (Jan 22, 2025):

Installing mkcert root certificate into the Windows certificate store can be done by running this in Linux shell:

certutil.exe -user -addstore root "$(wslpath -w "$(mkcert -CAROOT)/rootCA.pem")"

I believe the developers of mkcert could integrate this (or a similar) command into the mkcert -install process. It would be a convenient feature for WSL users 😎.

<!-- gh-comment-id:2606141241 --> @marveloo commented on GitHub (Jan 22, 2025): Installing `mkcert` root certificate into the Windows certificate store can be done by running this in <ins>**Linux**</ins> shell: ``` certutil.exe -user -addstore root "$(wslpath -w "$(mkcert -CAROOT)/rootCA.pem")" ``` I believe the developers of `mkcert` could integrate this (or a similar) command into the `mkcert -install` process. It would be a convenient feature for WSL users 😎.
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@ToshY commented on GitHub (Jan 22, 2025):

Installing mkcert root certificate into the Windows certificate store can be done by running this in Linux shell:

certutil.exe -user -addstore root "$(wslpath -w "$(mkcert -CAROOT)/rootCA.pem")"

I believe the developers of mkcert could integrate this (or a similar) command into the mkcert -install process. It would be a convenient feature for WSL users 😎.

This is awesome ❤ It would be even better if the pop-up security warning can be automatically confirmed, but it still beats following the manual steps. Thanks!

<!-- gh-comment-id:2608195048 --> @ToshY commented on GitHub (Jan 22, 2025): > Installing `mkcert` root certificate into the Windows certificate store can be done by running this in **Linux** shell: > > ``` > certutil.exe -user -addstore root "$(wslpath -w "$(mkcert -CAROOT)/rootCA.pem")" > ``` > > I believe the developers of `mkcert` could integrate this (or a similar) command into the `mkcert -install` process. It would be a convenient feature for WSL users 😎. This is awesome ❤ It would be even better if the pop-up security warning can be automatically confirmed, but it still beats following the manual steps. Thanks!
kerem commented 2026-02-25 22:32:55 +03:00
Author
Owner
Copy link

@airtonix commented on GitHub (Mar 20, 2025):

certutil.exe -user -addstore root "$(wslpath -w "$(mkcert -CAROOT)/rootCA.pem")"

This only works if you've not optimised the speed of your WSL2 instance by disabling the ability to run windows commands from within wsl2.

My concession is to do the following :

  #!/bin/bash
  is_wsl=$(uname -a | grep -q WSL && echo true || echo false)

  echo "Generated self-signed certificate"
  echo "> You'll be prompted for your machine login sudo password"
  echo "> This is required to add the root CA certificate to your keychain"
  echo " "
  mkcert -install > /dev/null 2>&1
  mkcert "you.localhost" "*.you.localhost"

  # if is wsl, then
  if [ "$is_wsl" == "true" ]; then
    echo " "
    echo "Copying certificate to Windows"

    cert_name=$(ls /usr/local/share/ca-certificates/*.crt | head -n 1)
    echo "Copying Root CA certificate to Windows"
    echo " cert name: $cert_name"
    echo " to: /mnt/c/Users/$USER/Downloads/"

    cp $cert_name /mnt/c/Users/$USER/Downloads/

    echo """
    NEXT STEPS:
      1. Open the certificate file in Windows
        a. super/windows/cmd + e
        b. press ctrl + l
        c. type: \\wsl.localhost\Ubuntu-22.04\usr\local\share\ca-certificates
        d. press enter
        e. Double click the certificate file

      2. Click Install Certificate
      3. Select Local Machine
      4. Select Place all certificates in the following store
      5. Click Browse
      6. Select Trusted Root Certification Authorities
      7. Click OK
    """
    exit 0
  fi
<!-- gh-comment-id:2741882290 --> @airtonix commented on GitHub (Mar 20, 2025): > ``` > certutil.exe -user -addstore root "$(wslpath -w "$(mkcert -CAROOT)/rootCA.pem")" > ``` This only works if you've not optimised the speed of your WSL2 instance by disabling the ability to run windows commands from within wsl2. My concession is to do the following : ```sh #!/bin/bash is_wsl=$(uname -a | grep -q WSL && echo true || echo false) echo "Generated self-signed certificate" echo "> You'll be prompted for your machine login sudo password" echo "> This is required to add the root CA certificate to your keychain" echo " " mkcert -install > /dev/null 2>&1 mkcert "you.localhost" "*.you.localhost" # if is wsl, then if [ "$is_wsl" == "true" ]; then echo " " echo "Copying certificate to Windows" cert_name=$(ls /usr/local/share/ca-certificates/*.crt | head -n 1) echo "Copying Root CA certificate to Windows" echo " cert name: $cert_name" echo " to: /mnt/c/Users/$USER/Downloads/" cp $cert_name /mnt/c/Users/$USER/Downloads/ echo """ NEXT STEPS: 1. Open the certificate file in Windows a. super/windows/cmd + e b. press ctrl + l c. type: \\wsl.localhost\Ubuntu-22.04\usr\local\share\ca-certificates d. press enter e. Double click the certificate file 2. Click Install Certificate 3. Select Local Machine 4. Select Place all certificates in the following store 5. Click Browse 6. Select Trusted Root Certification Authorities 7. Click OK """ exit 0 fi
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#234
No description provided.