[GH-ISSUE #390] Is it suitable for web applications on an internal company LAN? #258

New issue

Closed

opened 2026-02-25 22:32:58 +03:00 by kerem · 3 comments

kerem commented

2026-02-25 22:32:58 +03:00

Owner

Originally created by @haorein on GitHub (Aug 2, 2021).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/390

I'm facing a situation where I'm setting up https communication for web applications that can only be accessed from the company intranet, and the certificate generated with mkcert worked perfectly. But I noticed that the last sentence of the readme says:

Remember that mkcert is meant for development purposes, not production, so it should not be used on end users' machines

So, does mkcert still suit in this case?

Originally created by @haorein on GitHub (Aug 2, 2021). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/390 I'm facing a situation where I'm setting up https communication for web applications that can only be accessed from the company intranet, and the certificate generated with mkcert worked perfectly. But I noticed that the last sentence of the readme says: > Remember that mkcert is meant for development purposes, not production, so it should not be used on end users' machines So, does mkcert still suit in this case?

kerem closed this issue

2026-02-25 22:32:58 +03:00

kerem commented

2026-02-25 22:32:58 +03:00

Author

Owner

@rfay commented on GitHub (Aug 2, 2021):

You would be better to use a regular wildcard certificate that's "real". mkcert really is for development purposes (and requires telling the client-side browser to accept it, which is a fundamental security issue).

Get a wildcard cert :)

@rfay commented on GitHub (Aug 2, 2021): You would be better to use a regular wildcard certificate that's "real". mkcert really is for development purposes (and requires telling the client-side browser to accept it, which is a fundamental security issue). Get a wildcard cert :)

kerem commented

2026-02-25 22:32:58 +03:00

Author

Owner

@haorein commented on GitHub (Aug 2, 2021):

You would be better to use a regular wildcard certificate that's "real". mkcert really is for development purposes (and requires telling the client-side browser to accept it, which is a fundamental security issue).

Get a wildcard cert :)

@rfay Thank you for your advice! just have one more question, why installing the root certificate to the client-side would cause security issue?

@haorein commented on GitHub (Aug 2, 2021): > You would be better to use a regular wildcard certificate that's "real". mkcert really is for development purposes (and requires telling the client-side browser to accept it, which is a fundamental security issue). > > Get a wildcard cert :) @rfay Thank you for your advice! just have one more question, why installing the root certificate to the client-side would cause security issue?

kerem commented

2026-02-25 22:32:58 +03:00

Author

Owner

@rfay commented on GitHub (Aug 2, 2021):

First, you're installing a root CA on the server (or several of them). But it's a root CA that has no validation at all, no controls, no nothing.

Second, you're allowing all the clients in your local network to trust a cert/CA that has no process behind it, so any bad actor can create new trusted certs.

@rfay commented on GitHub (Aug 2, 2021): First, you're installing a root CA on the server (or several of them). But it's a root CA that has no validation at all, no controls, no nothing. Second, you're allowing all the clients in your local network to trust a cert/CA that has no process behind it, so any bad actor can create new trusted certs.

kerem referenced this issue

2026-02-25 22:33:28 +03:00

[PR #258] [CLOSED] set subject CN for client certificates #429