starred/mkcert

Fork 0

mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 21:45:59 +03:00

[GH-ISSUE #123] Change the location of the CA files #71

New issue

Closed

opened 2026-02-25 22:32:31 +03:00 by kerem · 11 comments

kerem commented

2026-02-25 22:32:31 +03:00

Owner

Originally created by @electricarts on GitHub (Jan 21, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/123

Sorry for the perhaps stupid question, but how can I change the location for the generated certificates? How do I use the variable $CAROOT when generating? An example would be great. For example, what should I do if I want to store the certificates in a folder under ~/local_certificates?

Originally created by @electricarts on GitHub (Jan 21, 2019). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/123 Sorry for the perhaps stupid question, but how can I change the location for the generated certificates? How do I use the variable $CAROOT when generating? An example would be great. For example, what should I do if I want to store the certificates in a folder under ~/local_certificates?

kerem closed this issue

2026-02-25 22:32:31 +03:00

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@adamdecaf commented on GitHub (Jan 21, 2019):

You can set CAROOT when calling mkcert:

$ CAROOT=~/local_certificates mkcert -install

You can also copy the existing CA and files: cp $(mkcert -CAROOT)/* ~/local_certificates/

@adamdecaf commented on GitHub (Jan 21, 2019): You can set CAROOT when calling mkcert: ``` $ CAROOT=~/local_certificates mkcert -install ``` You can also copy the existing CA and files: `cp $(mkcert -CAROOT)/* ~/local_certificates/`

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@electricarts commented on GitHub (Jan 21, 2019):

Thanks for the help!

But what about the generated page certificates? Is there a possibility that they will automatically end up in the local_certificates folder?

@electricarts commented on GitHub (Jan 21, 2019): Thanks for the help! But what about the generated page certificates? Is there a possibility that they will automatically end up in the local_certificates folder?

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@adamdecaf commented on GitHub (Jan 21, 2019):

You can have mkcert write those anywhere, but by default those files are written in the directory mkcert is executed from.

$ mkcert -cert-file ~/local_certificates/localhost.pem -key-file ~/local_certificates/localhost-key.pem localhost 
Using the local CA at "/Users/adam/local_certificates" ✨

Created a new certificate valid for the following names 📜
 - "localhost"

The certificate is at "/Users/adam/local_certificates/localhost.pem" and the key at "/Users/adam/local_certificates/localhost-key.pem" ✅

@adamdecaf commented on GitHub (Jan 21, 2019): You can have `mkcert` write those anywhere, but by default those files are written in the directory `mkcert` is executed from. ``` $ mkcert -cert-file ~/local_certificates/localhost.pem -key-file ~/local_certificates/localhost-key.pem localhost Using the local CA at "/Users/adam/local_certificates" ✨ Created a new certificate valid for the following names 📜 - "localhost" The certificate is at "/Users/adam/local_certificates/localhost.pem" and the key at "/Users/adam/local_certificates/localhost-key.pem" ✅ ```

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@electricarts commented on GitHub (Jan 21, 2019):

I think I'm too stupid for the terminal. 😉

The local CA is now in ~/local_certificates. But when I now create new certificates for my local URLs, the CA under ~/Library/Application Support/mkcert is still used. Do I have to delete the local CA generated with the "normal" installation (in ~/Library/Application Support/mkcert) first?

@electricarts commented on GitHub (Jan 21, 2019): I think I'm too stupid for the terminal. 😉 The local CA is now in ~/local_certificates. But when I now create new certificates for my local URLs, the CA under ~/Library/Application Support/mkcert is still used. Do I have to delete the local CA generated with the "normal" installation (in ~/Library/Application Support/mkcert) first?

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@adamdecaf commented on GitHub (Jan 21, 2019):

You can set CAROOT in your shell profile (~/.bashrc as an example) to always override the default.

export CAROOT="$HOME/local_certificates"

@adamdecaf commented on GitHub (Jan 21, 2019): You can set `CAROOT` in your shell profile (`~/.bashrc` as an example) to always override the default. ``` export CAROOT="$HOME/local_certificates" ```

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@electricarts commented on GitHub (Jan 21, 2019):

Unfortunately this does not change anything. After the entry in the shell profile, a new CA certificate is created in ~/local_certificates after calling mkcert (as before with $ CAROOT=~/local_certificates mkcert -install). But the URL certificates are stored again in ~ and not in ~/local_certificates.

@electricarts commented on GitHub (Jan 21, 2019): Unfortunately this does not change anything. After the entry in the shell profile, a new CA certificate is created in `~/local_certificates` after calling `mkcert` (as before with `$ CAROOT=~/local_certificates mkcert -install`). But the URL certificates are stored again in `~` and not in `~/local_certificates`.

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@adamdecaf commented on GitHub (Jan 21, 2019):

Oh, by default mkcert writes those to the directory it's ran from. You can set two flags to override that (or copy the files).

$ mkcert -cert-file ~/local_certificates/localhost.pem -key-file ~/local_certificates/localhost-key.pem localhost

@adamdecaf commented on GitHub (Jan 21, 2019): Oh, by default `mkcert` writes those to the directory it's ran from. You can set two flags to override that (or copy the files). ``` $ mkcert -cert-file ~/local_certificates/localhost.pem -key-file ~/local_certificates/localhost-key.pem localhost ```

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@electricarts commented on GitHub (Jan 21, 2019):

Ok. And I have to set this flag 4 times if the generated certificate should be valid for example.test, *.example.test, localhost and 127.0.0.1? This is too much stress for me. Then the certificates remain without a folder in ~. Not very organized but I have to live with that.

Nevertheless thanks a lot for your support! I am unfortunately only a pixel pusher.

@electricarts commented on GitHub (Jan 21, 2019): Ok. And I have to set this flag 4 times if the generated certificate should be valid for `example.test, *.example.test, localhost and 127.0.0.1`? This is too much stress for me. Then the certificates remain without a folder in `~`. Not very organized but I have to live with that. Nevertheless thanks a lot for your support! I am unfortunately only a pixel pusher.

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@adamdecaf commented on GitHub (Jan 21, 2019):

# Locally I don't have CAROOT set to ~/local_certificates 
$ mkcert -cert-file ~/local_certificates/localhost.pem -key-file ~/local_certificates/localhost-key.pem example.test *.example.test localhost 127.0.0.1 
Using the local CA at "/Users/adam/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "example.test"
 - "*.example.test"
 - "localhost"
 - "127.0.0.1"

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.example.test ℹ️

The certificate is at "/Users/adam/local_certificates/localhost.pem" and the key at "/Users/adam/local_certificates/localhost-key.pem" ✅

--- 
# Verify certificate hostnames and IP
$ cert-manage list -file ~/local_certificates/localhost.pem 
Certificate
  ...
  DNSNames:
    example.test
    *.example.test
    localhost
  IPAddresses:
    127.0.0.1

That worked for me.

@adamdecaf commented on GitHub (Jan 21, 2019): ``` # Locally I don't have CAROOT set to ~/local_certificates $ mkcert -cert-file ~/local_certificates/localhost.pem -key-file ~/local_certificates/localhost-key.pem example.test *.example.test localhost 127.0.0.1 Using the local CA at "/Users/adam/Library/Application Support/mkcert" ✨ Created a new certificate valid for the following names 📜 - "example.test" - "*.example.test" - "localhost" - "127.0.0.1" Reminder: X.509 wildcards only go one level deep, so this won't match a.b.example.test ℹ️ The certificate is at "/Users/adam/local_certificates/localhost.pem" and the key at "/Users/adam/local_certificates/localhost-key.pem" ✅ --- # Verify certificate hostnames and IP $ cert-manage list -file ~/local_certificates/localhost.pem Certificate ... DNSNames: example.test *.example.test localhost IPAddresses: 127.0.0.1 ``` That worked for me.

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@electricarts commented on GitHub (Jan 21, 2019):

Yesss! That worked! Many many thanks for your help!

I made a snippet in TextExpander with a placeholder for my local URLs. So I only have to type in the abbreviation in the terminal, enter the desired local URL in the placeholder and press Enter. And everything is in the desired place. 🙂

@electricarts commented on GitHub (Jan 21, 2019): Yesss! That worked! Many many thanks for your help! I made a snippet in TextExpander with a placeholder for my local URLs. So I only have to type in the abbreviation in the terminal, enter the desired local URL in the placeholder and press Enter. And everything is in the desired place. 🙂

kerem commented

2026-02-25 22:32:32 +03:00

Author

Owner

@adamdecaf commented on GitHub (Jan 21, 2019):

Sweet! Feel free to close out this issue if we solved your problems. 😁

@adamdecaf commented on GitHub (Jan 21, 2019): Sweet! Feel free to close out this issue if we solved your problems. 😁

kerem referenced this issue

2026-02-25 22:33:19 +03:00

[PR #71] [MERGED] nss: use certutil from $PATH if found on macOS #380