mkcert is an open-source tool that is used to create and install local Certificate Authority (CA) in the system and generate locally-trusted certificates to be used for development.

As a developer, working on a project can be dangerous when it comes to using certificates from real CA to test SSL over localhost, It means you have to buy a certificate which is not what you would want to do. So the best solution is to self sign a certificate which might cause errors but mkcert does all that for you. You only have to configure the servers to use with the certificates.

In this guide, I will show you how to:

  • Install Chocolatey
  • Install mkcert using Chocolatey.
  • Install Scoop
  • Install mkcert using Scoop
  • Create Certificate Authority using mkcert
  • Generate locally-trusted SSL certificate using mkcert
  • Configure IIS server to use the generated certificate

#1) Installing mkcert on Windows

You can use Chocolatey or Scoop to install mkcert on Windows systems.

Installing Chocolatey on Windows

To install chocolatey, open your PowerShell as an Admin.

The first thing to do is to ensure that Get-ExecutionPolicy is not restricted.
Type Get-ExecutionPolicy and press Enter, If it returns restricted use Set-ExecutionPolicy AllSigned to allow.

All commands to be executed.

Set-ExecutionPolicy AllSigned

See below screenshot:

Then go to Chocolatey Install official site and scroll down to the install part to copy the code to be used for installation. You can copy also from here

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(''))

Paste the command and press Enter, Installation begins Immediately and it is quick.

Installing mkcert using Chocolatey

To install mkcert using chocolatey with PowerShell, Type the following command and press Enter.

choco install mkcert

The installation begins and finishes instantly without hassle.

You can confirm the installation was successful by typing mkcert --version and press Enter. It returns the version and this shows the installation was successful.

You can also find the path of where mkcert was stored by using mkcert -CAROOT.

Installing Scoop on Windows

You will have to change the execution policy by using

Set-ExecutionPolicy RemoteSigned -scope CurrentUser

Then next is to install scoop with

Invoke-Expression (New-Object System.Net.WebClient).DownloadString('')

# or shorter
iwr -useb | iex

Next up is to install ‘git’ to be able to install the required packages by using scoop.

scoop install git

Install mkcert Using Scoop

Next up is to install mkcert

scoop bucket add extras
scoop install mkcert

To check the version and root directory use

mkcert --version
mkcert -CAROOT

Install CA in your System Root Store

Use the following code to install CA, Type mkcert -install and press Enter.

#2) Generate Locally-trusted SSL Certificate using mkcert

To generate my a locally-trusted SSL Certificate, type the code mkcert -pkcs12 localhost then press Enter. This code contains the subject name and the address.

Note that the certificate is placed on the directory you are currently on. I chose to change my directory to Desktop for easy access when I will be importing the certificate. You can do the same by typing cd ~/Desktop.

Note the default password “changeit” used to encrypt the certificate as you will use it when importing the certificate.

It generates the certificate and shows the location of the certificate. Next thing would be to configure the server to use that certificate

#3) Configure Server to use the certificate

We have to import the certificate first. Open mmc in your system as shown

It opens a window as below. Click on file the click on Add/Remove Snap-in

It opens a new Window, Double click on Certificates or select Certificates then click Add.

Certificate snap-in Window opens. Click on Computer account which is where the snap-in will manage the certificate.

Next up will be o select the computer that the snap-in will manage. I went with default Local Computer. Click on Finish.

It takes you back to the Console. Expand the Certificates and find Web Hosting Folder. Exapnd the folder and click on certificates. On the empty part, right-click and select All Tasks then click on Import..

It opens the Certificate Import Wizard that will assist in importing the created certificate.

Yow will have to browse for the.p12 file from where you stored after creation. Mine is in the Desktop directory. Find yours an select it.

Ensure the file is the one you want then click on Next.

When you created the certificate with mkcert it was protected and it showed you the password. By default the password is changeit . Type the password and ensure to Mark the checkbox for Mark the Key as exportable.

For the certificate store folder, ensure it is under Web Hosting as below. If not, Browse and select Web Hosting.

Its shows the summary, Confirm the details and click on Finish.

The import is successful and it shows as certificate in the Web Hosting directory. You can refresh the folder if you are not able to view the certificate.

#4) Configure Server in IIS to use mkcert certificate

We have to configure the server to use the certificate.

Check if you have the Internet Information System (IIS) manager feature active your machine.

Press Windows key + R to open Run then type inetmgr and press Enter.

If you get such an error, then the Feature is not enabled in your machine and you have to enable it. If it opens then skip to the next part

Go tour Windows Search bar and search ‘Turn Windows features on or off’ and open it.

Find features relates to IIS and mark the checkbox next to them. You might have to expand the checkbox and select all the features associated with IIS as shown below.

Once you have selected all of them, Click OK and windows will search and apply the changes. Close the dialog.

Open IIS Manager. You can use the inetmgr command or just find it from the windows search bar.

Then expand the Server and go to Sites and expand then click on Default Web Site which is where we are going to apply the certificate. Click on Bindings.

Site Binding window opens as follows. Click on Add.

Under type select ‘https’ and under SSL certificate select the newly imported ‘localhost’ certificate and click OK.

You will have to restart the IIS manager for it to recognize the new SSL. You can use the code iisreset /restart in the Windows PowerShell to restart the IIS Manager

Then back to IIS Manager, click on Browse ‘*443 (https)’ to open the website.

The website opens with the secure option shown as below.

And that is all, mkcert does most of the work, You only have to configure the server to use the created certificate. This makes it easy for developers to use the certificates in their local projects that especially involve input fields for example, Passwords.

More guides:



Please enter your comment!
Please enter your name here