starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 21:45:59 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #125] Generate CA + client certificate pair for client authentication purposes #70

New issue
Closed
opened 2026-02-25 22:32:31 +03:00 by kerem · 2 comments
kerem commented 2026-02-25 22:32:31 +03:00
Owner
Copy link

Originally created by @schweikert on GitHub (Feb 1, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/125

This is related to #89, but goes a bit more into the detail about how generating client certificates could be useful:

What I recently started experimenting with, is using client certificate authentication as a sort of SSH's authorized_keys, but for the web. Often you can configure on a web server a list of CAs that are accepted for client authentication. This is the case for example with nginx's ssl_verify_client /ssl_client_cert...

The idea would be to:

  • Generate a new self-signed CA (with key and certificate)
  • Generate a new client certificate, signed by the above CA (also key + cert)
  • Delete the CA key. Now you have:
    • CA certificate -> this is your public key
    • client certificate (key+cert) -> this is your private key
  • Load the client certificate in the browser (best is to use the PKCS12 format with a password)
  • Put your personal, self-signed CA in the list of accepted certificates on the web server.

I was wondering on writing also a tool / script to facilitate this, but it would be awesome to have this functionality in mkcert! Maybe something like:

mkcert -client-adhoc -name "Firstname Lastname" mycert
# generates:
# - mycert.ca.pem  -> CA certificate, put this in your server config
# - mycert.pkcs12   -> client certificate to load in the browser

I have to say: I wonder a bit why nobody seems to be doing this (using client certificate like ssh's authorized_keys)... Maybe it's a bad idea? It seems like a very practical thing, especially for testing.

Let me know your thoughts... Maybe I could try implementing this.

Originally created by @schweikert on GitHub (Feb 1, 2019). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/125 This is related to #89, but goes a bit more into the detail about how generating client certificates could be useful: What I recently started experimenting with, is using client certificate authentication as a sort of SSH's authorized_keys, but for the web. Often you can configure on a web server a list of CAs that are accepted for client authentication. This is the case for example with nginx's ssl_verify_client /ssl_client_cert... The idea would be to: - Generate a new self-signed CA (with key and certificate) - Generate a new client certificate, signed by the above CA (also key + cert) - Delete the CA key. Now you have: - CA certificate -> this is your public key - client certificate (key+cert) -> this is your private key - Load the client certificate in the browser (best is to use the PKCS12 format with a password) - Put your personal, self-signed CA in the list of accepted certificates on the web server. I was wondering on writing also a tool / script to facilitate this, but it would be awesome to have this functionality in mkcert! Maybe something like: mkcert -client-adhoc -name "Firstname Lastname" mycert # generates: # - mycert.ca.pem -> CA certificate, put this in your server config # - mycert.pkcs12 -> client certificate to load in the browser I have to say: I wonder a bit why nobody seems to be doing this (using client certificate like ssh's authorized_keys)... Maybe it's a bad idea? It seems like a very practical thing, especially for testing. Let me know your thoughts... Maybe I could try implementing this.
kerem closed this issue 2026-02-25 22:32:31 +03:00
kerem commented 2026-02-25 22:32:32 +03:00
Author
Owner
Copy link

@FiloSottile commented on GitHub (Feb 2, 2019):

Added -client. You can use $CAROOT to have a dedicated CA.

<!-- gh-comment-id:460000677 --> @FiloSottile commented on GitHub (Feb 2, 2019): Added `-client`. You can use `$CAROOT` to have a dedicated CA.
kerem commented 2026-02-25 22:32:32 +03:00
Author
Owner
Copy link

@alexfornuto commented on GitHub (Nov 29, 2021):

@FiloSottile Sorry to ask on an old issue but I don't see a better spot for this question: How can one change the default password of a client certificate when generating it?

<!-- gh-comment-id:982073888 --> @alexfornuto commented on GitHub (Nov 29, 2021): @FiloSottile Sorry to ask on an old issue but I don't see a better spot for this question: How can one change the default password of a client certificate when generating it?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#70
No description provided.