mkcert is an open-source tool that is used to create and install local Certificate Authority (CA) in the system and generate locally-trusted certificates to be used for development.
As a developer, working on a project can be dangerous when it comes to using certificates from real CA to test SSL over localhost, It means you have to buy a certificate which is not what you would want to do. So the best solution is to self sign a certificate which might cause errors but mkcert does all that for you. You only have to configure the servers to use with the certificates.
In this guide, I will show you how to:
- Install Chocolatey
- Install mkcert using Chocolatey.
- Install Scoop
- Install mkcert using Scoop
- Create Certificate Authority using mkcert
- Generate locally-trusted SSL certificate using mkcert
- Configure IIS server to use the generated certificate
#1) Installing mkcert on Windows
You can use Chocolatey or Scoop to install mkcert on Windows systems.
Installing Chocolatey on Windows
To install chocolatey, open your PowerShell as an Admin.
The first thing to do is to ensure that
Get-ExecutionPolicy is not restricted.
Get-ExecutionPolicy and press Enter, If it returns restricted use
Set-ExecutionPolicy AllSigned to allow.
All commands to be executed.
Get-ExecutionPolicy Get-ExecutionPolicy Set-ExecutionPolicy AllSigned
See below screenshot:
Then go to Chocolatey Install official site and scroll down to the install part to copy the code to be used for installation. You can copy also from here
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Paste the command and press Enter, Installation begins Immediately and it is quick.
Installing mkcert using Chocolatey
To install mkcert using chocolatey with PowerShell, Type the following command and press Enter.
choco install mkcert
The installation begins and finishes instantly without hassle.
You can confirm the installation was successful by typing
mkcert --version and press Enter. It returns the version and this shows the installation was successful.
You can also find the path of where mkcert was stored by using
Installing Scoop on Windows
You will have to change the execution policy by using
Set-ExecutionPolicy RemoteSigned -scope CurrentUser
Then next is to install scoop with
Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://get.scoop.sh') # or shorter iwr -useb get.scoop.sh | iex
Next up is to install ‘git’ to be able to install the required packages by using scoop.
scoop install git
Install mkcert Using Scoop
Next up is to install mkcert
scoop bucket add extras scoop install mkcert
To check the version and root directory use
mkcert --version mkcert -CAROOT
Install CA in your System Root Store
Use the following code to install CA, Type
mkcert -install and press Enter.
#2) Generate Locally-trusted SSL Certificate using mkcert
To generate my a locally-trusted SSL Certificate, type the code
mkcert -pkcs12 localhost then press Enter. This code contains the subject name and the address.
Note that the certificate is placed on the directory you are currently on. I chose to change my directory to Desktop for easy access when I will be importing the certificate. You can do the same by typing
Note the default password “changeit” used to encrypt the certificate as you will use it when importing the certificate.
It generates the certificate and shows the location of the certificate. Next thing would be to configure the server to use that certificate
#3) Configure Server to use the certificate
We have to import the certificate first. Open
mmc in your system as shown
It opens a window as below. Click on file the click on Add/Remove Snap-in
It opens a new Window, Double click on Certificates or select Certificates then click Add.
Certificate snap-in Window opens. Click on Computer account which is where the snap-in will manage the certificate.
Next up will be o select the computer that the snap-in will manage. I went with default Local Computer. Click on Finish.
It takes you back to the Console. Expand the Certificates and find Web Hosting Folder. Exapnd the folder and click on certificates. On the empty part, right-click and select All Tasks then click on Import..
It opens the Certificate Import Wizard that will assist in importing the created certificate.
Yow will have to browse for the
.p12 file from where you stored after creation. Mine is in the Desktop directory. Find yours an select it.
Ensure the file is the one you want then click on Next.
When you created the certificate with
mkcert it was protected and it showed you the password. By default the password is
changeit . Type the password and ensure to Mark the checkbox for Mark the Key as exportable.
For the certificate store folder, ensure it is under Web Hosting as below. If not, Browse and select Web Hosting.
Its shows the summary, Confirm the details and click on Finish.
The import is successful and it shows as certificate in the Web Hosting directory. You can refresh the folder if you are not able to view the certificate.
#4) Configure Server in IIS to use mkcert certificate
We have to configure the server to use the certificate.
Check if you have the Internet Information System (IIS) manager feature active your machine.
Press Windows key + R to open Run then type
inetmgr and press Enter.
If you get such an error, then the Feature is not enabled in your machine and you have to enable it. If it opens then skip to the next part
Go tour Windows Search bar and search ‘Turn Windows features on or off’ and open it.
Find features relates to IIS and mark the checkbox next to them. You might have to expand the checkbox and select all the features associated with IIS as shown below.
Once you have selected all of them, Click OK and windows will search and apply the changes. Close the dialog.
Open IIS Manager. You can use the
inetmgr command or just find it from the windows search bar.
Then expand the Server and go to Sites and expand then click on Default Web Site which is where we are going to apply the certificate. Click on Bindings.
Site Binding window opens as follows. Click on Add.
Under type select ‘https’ and under SSL certificate select the newly imported ‘localhost’ certificate and click OK.
You will have to restart the IIS manager for it to recognize the new SSL. You can use the code
iisreset /restart in the Windows PowerShell to restart the IIS Manager
Then back to IIS Manager, click on Browse ‘*443 (https)’ to open the website.
The website opens with the secure option shown as below.
And that is all, mkcert does most of the work, You only have to configure the server to use the created certificate. This makes it easy for developers to use the certificates in their local projects that especially involve input fields for example, Passwords.