starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 13:36:02 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #76] [Question] How to generate a fullchain cert file? #42

New issue
Closed
opened 2026-02-25 22:32:27 +03:00 by kerem · 8 comments
kerem commented 2026-02-25 22:32:27 +03:00
Owner
Copy link

Originally created by @saicrazyfire on GitHub (Oct 1, 2018).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/76

I'm looking to leverage this on internally hosted Home Assistant and they have a Nginx proxy. I want to be able to access the web application via something like "https://hassio.local". I can create the cert and the key with mkcert but the Nginx addon for HA needs the fullchain.

Originally created by @saicrazyfire on GitHub (Oct 1, 2018). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/76 I'm looking to leverage this on internally hosted Home Assistant and they have a Nginx proxy. I want to be able to access the web application via something like "https://hassio.local". I can create the cert and the key with mkcert but the Nginx addon for HA needs the fullchain.
kerem 2026-02-25 22:32:27 +03:00
  • closed this issue
  • added the
    question
         label
kerem commented 2026-02-25 22:32:27 +03:00
Author
Owner
Copy link

@adamdecaf commented on GitHub (Oct 2, 2018):

There's only the root CA and your leaf certs. When you mkcert -install it tells you where the CA certificate is.

$ mkcert -install
Created a new local CA at "/home/adam/.local/share/mkcert" 💥
The local CA is now installed in the system trust store! ⚡️
Warning: "certutil" is not available, so the CA can't be automatically installed in Firefox and/or Chrome/Chromium! ⚠️
Install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and re-run "mkcert -install" 👈

$ ls -l ~/.local/share/mkcert/
total 8
-r-------- 1 adam adam 2484 Oct  2 08:49 rootCA-key.pem
-rw-r--r-- 1 adam adam 1655 Oct  2 08:49 rootCA.pem

mkcert hassio.local would then generate the leaf cert and key in the directory you call mkcert from.

<!-- gh-comment-id:426327809 --> @adamdecaf commented on GitHub (Oct 2, 2018): There's only the root CA and your leaf certs. When you `mkcert -install` it tells you where the CA certificate is. ``` $ mkcert -install Created a new local CA at "/home/adam/.local/share/mkcert" 💥 The local CA is now installed in the system trust store! ⚡️ Warning: "certutil" is not available, so the CA can't be automatically installed in Firefox and/or Chrome/Chromium! ⚠️ Install "certutil" with "apt install libnss3-tools" or "yum install nss-tools" and re-run "mkcert -install" 👈 $ ls -l ~/.local/share/mkcert/ total 8 -r-------- 1 adam adam 2484 Oct 2 08:49 rootCA-key.pem -rw-r--r-- 1 adam adam 1655 Oct 2 08:49 rootCA.pem ``` `mkcert hassio.local` would then generate the leaf cert and key in the directory you call `mkcert` from.
kerem commented 2026-02-25 22:32:27 +03:00
Author
Owner
Copy link

@saicrazyfire commented on GitHub (Oct 2, 2018):

So would it be enough to concatenate rootCA.pem and hassio.pem and have a fullchain.pem? At least from what I could google, the full chain cert is that

<!-- gh-comment-id:426336054 --> @saicrazyfire commented on GitHub (Oct 2, 2018): So would it be enough to concatenate rootCA.pem and hassio.pem and have a fullchain.pem? At least from what I could google, the full chain cert is that
kerem commented 2026-02-25 22:32:27 +03:00
Author
Owner
Copy link

@adamdecaf commented on GitHub (Oct 2, 2018):

Yea, looks like the nginx docs mention that.

https://nginx.org/en/docs/http/configuring_https_servers.html#chains

<!-- gh-comment-id:426338126 --> @adamdecaf commented on GitHub (Oct 2, 2018): Yea, looks like the nginx docs mention that. https://nginx.org/en/docs/http/configuring_https_servers.html#chains
kerem commented 2026-02-25 22:32:27 +03:00
Author
Owner
Copy link

@FiloSottile commented on GitHub (Jan 6, 2019):

Since mkcert does not generate intermediate CAs, you should be able to use the certificate alone as "fullchain". If not, you just need to concatenate the file in $(mkcert -CAROOT)/rootCA.pem, but browsers don't need the root to be sent to them.

<!-- gh-comment-id:451784301 --> @FiloSottile commented on GitHub (Jan 6, 2019): Since mkcert does not generate intermediate CAs, you should be able to use the certificate alone as "fullchain". If not, you just need to concatenate the file in `$(mkcert -CAROOT)/rootCA.pem`, but browsers don't need the root to be sent to them.
kerem commented 2026-02-25 22:32:27 +03:00
Author
Owner
Copy link

@BarnabasSzabolcs commented on GitHub (Oct 24, 2019):

Unfortunately it looks like python's requests needs it.

<!-- gh-comment-id:545920136 --> @BarnabasSzabolcs commented on GitHub (Oct 24, 2019): Unfortunately it looks like python's requests needs it.
kerem commented 2026-02-25 22:32:27 +03:00
Author
Owner
Copy link

@FiloSottile commented on GitHub (Oct 24, 2019):

Should be as simple as

mkcert example.com
cat example.com.pem > example.com-fullchain.pem
cat "$(mkcert -CAROOT)/rootCA.pem" >> example.com-fullchain.pem
<!-- gh-comment-id:546054007 --> @FiloSottile commented on GitHub (Oct 24, 2019): Should be as simple as ``` mkcert example.com cat example.com.pem > example.com-fullchain.pem cat "$(mkcert -CAROOT)/rootCA.pem" >> example.com-fullchain.pem ```
kerem commented 2026-02-25 22:32:27 +03:00
Author
Owner
Copy link

@BarnabasSzabolcs commented on GitHub (Oct 25, 2019):

Thanks a bunch, Filo!

<!-- gh-comment-id:546312783 --> @BarnabasSzabolcs commented on GitHub (Oct 25, 2019): Thanks a bunch, Filo!
kerem commented 2026-02-25 22:32:27 +03:00
Author
Owner
Copy link

@emahuni commented on GitHub (Nov 8, 2019):

Should be as simple as

mkcert example.com
cat example.com.pem > example.com-fullchain.pem
cat "$(mkcert -CAROOT)/rootCA.pem" >> example.com-fullchain.pem

That's not the fullchain, that's just the chain. Fullchain is the cert.pem at the top + the chain at the bottom.
See #214 for the correct way of generating these files. I do this all the time developing SIP technologies that need SSL. They require these kind of files.

https://community.letsencrypt.org/t/public-and-private-keys/25493/3?u=emahuni

<!-- gh-comment-id:551391903 --> @emahuni commented on GitHub (Nov 8, 2019): > Should be as simple as > > ``` > mkcert example.com > cat example.com.pem > example.com-fullchain.pem > cat "$(mkcert -CAROOT)/rootCA.pem" >> example.com-fullchain.pem > ``` That's not the fullchain, that's just the chain. Fullchain is the cert.pem at the top + the chain at the bottom. See #214 for the correct way of generating these files. I do this all the time developing SIP technologies that need SSL. They require these kind of files. https://community.letsencrypt.org/t/public-and-private-keys/25493/3?u=emahuni
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#42
No description provided.