[GH-ISSUE #461] SSL certificates not accepted in browser - Safari, chrome, firefox #295

New issue

Open

opened 2026-02-25 22:33:03 +03:00 by kerem · 12 comments

kerem commented 2026-02-25 22:33:03 +03:00

Owner

Copy link

Originally created by @lakshmajee on GitHub (Jul 10, 2022).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/461

Environment

• Operating system (including version): macOS Big Sur 11.6.7 (20G630)
• mkcert version (from mkcert -version): v1.4.4
• Server (where the certificate is loaded): Angular cli has in build serving mechanism to load SSL certs, https://angular.io/cli/serve
• Client (e.g. browser, CLI tool, or script): browser (Chrome, Safari, Firefox)

What you did

brew install mkcert
brew install nss
mkcert --install
mkcert localhost 127.0.0.1

After generating certificates, I attached them to angular cli. (It is able to detect the certificates at a given path)

ng serve --ssl \                   
  --ssl-cert "/Users/gru/development/angular/ssl/localhost+1.pem” \
  --ssl-key "/Users/gru/development/angular/ssl/localhost+1-key.pem”

I have gone through some closed issues and tried to restart the browser and the entire machine.

But none of them helped.

What went wrong

Originally created by @lakshmajee on GitHub (Jul 10, 2022). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/461 ## Environment * Operating system (including version): macOS Big Sur 11.6.7 (20G630) * mkcert version (from `mkcert -version`): v1.4.4 * Server (where the certificate is loaded): Angular cli has in build serving mechanism to load SSL certs, https://angular.io/cli/serve * Client (e.g. browser, CLI tool, or script): browser (Chrome, Safari, Firefox) ## What you did <!-- Including the `mkcert -install` step and how the certificate was generated and installed. --> ```bash brew install mkcert brew install nss mkcert --install mkcert localhost 127.0.0.1 ``` After generating certificates, I attached them to angular cli. (It is able to detect the certificates at a given path) ```bash ng serve --ssl \ --ssl-cert "/Users/gru/development/angular/ssl/localhost+1.pem” \ --ssl-key "/Users/gru/development/angular/ssl/localhost+1-key.pem” ``` ### I have gone through some closed issues and tried to restart the browser and the entire machine. But none of them helped. ## What went wrong <!-- Please include the precise error, like a terminal transcript or a browser screenshot. -->  

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@ahmadSaeedGoda commented on GitHub (Aug 13, 2022):

Same here with ReactJS. Any Updates please?

<!-- gh-comment-id:1214155849 --> @ahmadSaeedGoda commented on GitHub (Aug 13, 2022): Same here with ReactJS. Any Updates please?

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@hakimio commented on GitHub (Aug 13, 2022):

Might be a change in Chrome causing this.
Anyway, for anyone on Windows try this guide from StackOverflow ("Windows: Generate and self sign certificate"). Worked well for me.

<!-- gh-comment-id:1214174285 --> @hakimio commented on GitHub (Aug 13, 2022): Might be a change in Chrome causing this. Anyway, for anyone on Windows try [this guide from StackOverflow ("Windows: Generate and self sign certificate")](https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/72477963#72477963). Worked well for me.

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@N6REJ commented on GitHub (Aug 21, 2022):

I'm hoping this can be fixed.
I get the following error when I try to install

PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ./mkcert.exe --install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️
ERROR: failed to execute "keytool -importcert": exit status 1

Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: C:\Program Files\Microsoft\jdk-17.0.1.12-hotspot\lib\security\cacerts (Access is denied)

PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> 

<!-- gh-comment-id:1221436873 --> @N6REJ commented on GitHub (Aug 21, 2022): I'm hoping this can be fixed. I get the following error when I try to install ``` PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ./mkcert.exe --install Created a new local CA 💥 The local CA is now installed in the system trust store! ⚡️ ERROR: failed to execute "keytool -importcert": exit status 1 Warning: use -cacerts option to access cacerts keystore Certificate was added to keystore keytool error: java.io.FileNotFoundException: C:\Program Files\Microsoft\jdk-17.0.1.12-hotspot\lib\security\cacerts (Access is denied) PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ```

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@brezanac commented on GitHub (Aug 28, 2022):

I'm hoping this can be fixed. I get the following error when I try to install

PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ./mkcert.exe --install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️
ERROR: failed to execute "keytool -importcert": exit status 1

Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: C:\Program Files\Microsoft\jdk-17.0.1.12-hotspot\lib\security\cacerts (Access is denied)

PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> 

Try running mkcert inside Powershell with elevated (Administrator) privileges or simply install gsudo.

<!-- gh-comment-id:1229554894 --> @brezanac commented on GitHub (Aug 28, 2022): > I'm hoping this can be fixed. I get the following error when I try to install > > ``` > PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ./mkcert.exe --install > Created a new local CA 💥 > The local CA is now installed in the system trust store! ⚡️ > ERROR: failed to execute "keytool -importcert": exit status 1 > > Warning: use -cacerts option to access cacerts keystore > Certificate was added to keystore > keytool error: java.io.FileNotFoundException: C:\Program Files\Microsoft\jdk-17.0.1.12-hotspot\lib\security\cacerts (Access is denied) > > PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> > ``` Try running `mkcert` inside Powershell with elevated (Administrator) privileges or simply install [gsudo](https://github.com/gerardog/gsudo).

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@N6REJ commented on GitHub (Aug 29, 2022):

I'm hoping this can be fixed. I get the following error when I try to install

PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ./mkcert.exe --install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️
ERROR: failed to execute "keytool -importcert": exit status 1

Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: C:\Program Files\Microsoft\jdk-17.0.1.12-hotspot\lib\security\cacerts (Access is denied)

PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> 

Try running mkcert inside Powershell with elevated (Administrator) privileges or simply install gsudo.

that was inside an elevated powershell. as shown here

<!-- gh-comment-id:1229976394 --> @N6REJ commented on GitHub (Aug 29, 2022): > > I'm hoping this can be fixed. I get the following error when I try to install > > ``` > > PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ./mkcert.exe --install > > Created a new local CA 💥 > > The local CA is now installed in the system trust store! ⚡️ > > ERROR: failed to execute "keytool -importcert": exit status 1 > > > > Warning: use -cacerts option to access cacerts keystore > > Certificate was added to keystore > > keytool error: java.io.FileNotFoundException: C:\Program Files\Microsoft\jdk-17.0.1.12-hotspot\lib\security\cacerts (Access is denied) > > > > PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> > > ``` > > Try running `mkcert` inside Powershell with elevated (Administrator) privileges or simply install [gsudo](https://github.com/gerardog/gsudo). that was inside an elevated powershell. as shown here 

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@brezanac commented on GitHub (Aug 29, 2022):

I'm hoping this can be fixed. I get the following error when I try to install

PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ./mkcert.exe --install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️
ERROR: failed to execute "keytool -importcert": exit status 1

Warning: use -cacerts option to access cacerts keystore
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: C:\Program Files\Microsoft\jdk-17.0.1.12-hotspot\lib\security\cacerts (Access is denied)

PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> 

Try running mkcert inside Powershell with elevated (Administrator) privileges or simply install gsudo.

that was inside an elevated powershell. as shown here

The only indication that Powershell is running with elevated privileges is that it will use C:\Windows\system32> as the startup directory and the window title will display Administrator: Windows PowerShell. Your images does not contain any of those so I assumed unprivilleged Powershell, which will break mkcert since it needs acceess to sensitive areas of the operating system.

A nice and easy way to test for elevated privileges is to run the following line of code inside Powershell.

([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

<!-- gh-comment-id:1230009576 --> @brezanac commented on GitHub (Aug 29, 2022): > > > I'm hoping this can be fixed. I get the following error when I try to install > > > ``` > > > PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> ./mkcert.exe --install > > > Created a new local CA 💥 > > > The local CA is now installed in the system trust store! ⚡️ > > > ERROR: failed to execute "keytool -importcert": exit status 1 > > > > > > Warning: use -cacerts option to access cacerts keystore > > > Certificate was added to keystore > > > keytool error: java.io.FileNotFoundException: C:\Program Files\Microsoft\jdk-17.0.1.12-hotspot\lib\security\cacerts (Access is denied) > > > > > > PS E:\Development\MY_PROJECTS\bearsampp-development\Bearsampp\core\libs\mkcert> > > > ``` > > > > > > Try running `mkcert` inside Powershell with elevated (Administrator) privileges or simply install [gsudo](https://github.com/gerardog/gsudo). > > that was inside an elevated powershell. as shown here  The only indication that Powershell is running with elevated privileges is that it will use `C:\Windows\system32>` as the startup directory and the window title will display `Administrator: Windows PowerShell`. Your images does not contain any of those so I assumed unprivilleged Powershell, which will break mkcert since it needs acceess to sensitive areas of the operating system. A nice and easy way to test for elevated privileges is to run the following line of code inside Powershell. `([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)`

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@N6REJ commented on GitHub (Aug 29, 2022):

I apologize your completely correct. I'm trying to figure out how to tell phpstorm to run it as admin as we speak.

<!-- gh-comment-id:1230036519 --> @N6REJ commented on GitHub (Aug 29, 2022): I apologize your completely correct. I'm trying to figure out how to tell phpstorm to run it as admin as we speak. 

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@N6REJ commented on GitHub (Aug 29, 2022):

gsudo worked perfectly! TY!

<!-- gh-comment-id:1230070112 --> @N6REJ commented on GitHub (Aug 29, 2022): gsudo worked perfectly! TY!

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@N6REJ commented on GitHub (Aug 29, 2022):

Now that that is fixed... we store all ssl certs in the /ssl folder of our app. But we want to change from openssl to mkcert. How can we tell mkcert to use the ssl folder?

<!-- gh-comment-id:1230071564 --> @N6REJ commented on GitHub (Aug 29, 2022): Now that that is fixed... we store all ssl certs in the /ssl folder of our app. But we want to change from openssl to mkcert. How can we tell mkcert to use the ssl folder?

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@lakshmajee commented on GitHub (Sep 8, 2022):

Might be a change in Chrome causing this. Anyway, for anyone on Windows try this guide from StackOverflow ("Windows: Generate and self sign certificate"). Worked well for me.

Actually mkcerts selling point is you don't need to do or use multiple commands, right? Why do we need some workaround to get started with it? If mkcerts is all around workarounds, I need to switch to another library.

<!-- gh-comment-id:1240192929 --> @lakshmajee commented on GitHub (Sep 8, 2022): > Might be a change in Chrome causing this. Anyway, for anyone on Windows try [this guide from StackOverflow ("Windows: Generate and self sign certificate")](https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/72477963#72477963). Worked well for me. Actually `mkcerts` selling point is you don't need to do or use multiple commands, right? Why do we need some workaround to get started with it? If `mkcerts` is all around workarounds, I need to switch to another library.

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@blueblakk commented on GitHub (Sep 4, 2023):

Facing the exact same issue.

<!-- gh-comment-id:1705115252 --> @blueblakk commented on GitHub (Sep 4, 2023): Facing the exact same issue.

kerem commented 2026-02-25 22:33:03 +03:00

Author

Owner

Copy link

@SiegeSailor commented on GitHub (Sep 10, 2024):

Any update?

<!-- gh-comment-id:2340455509 --> @SiegeSailor commented on GitHub (Sep 10, 2024): Any update?

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.9.1

v0.9.0

Labels

Clear labels   

TLS stack issue

  

Windows

  

bug

  

duplicate

  

duplicate

  

enhancement

  

help wanted

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

root store

  

waiting for info

No labels

TLS stack issue

Windows

bug

duplicate

duplicate

enhancement

help wanted

help wanted

pull-request

question

question

root store

waiting for info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mkcert#295

No description provided.