mkcert

用来生成自签证书的工具

示例

mkcert 是 GO 编写的，一个简单的零配置的用来生成自签证书的工具。

下面给一个简单的示例，在本地生成自签证书，并使用让 nc 使用生成的证书。

~ ·········································································································································  10:46:25
❯ mkcert -install
The local CA is already installed in the system trust store! 👍The local CA is already installed in the Firefox and/or Chrome/Chromium trust store! 👍
~ ·········································································································································  10:46:34
❯ mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

Created a new certificate valid for the following names 📜 - "example.com"
 - "*.example.com"
 - "example.test"
 - "localhost"
 - "127.0.0.1"
 - "::1"

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.example.com ℹ️

The certificate is at "./example.com+5.pem" and the key at "./example.com+5-key.pem" ✅
It will expire on 30 January 2025 🗓

~ ·········································································································································  10:47:37
❯ ls             
公共  视频  文档  音乐  aria          aria2-downloads  Dockerfile             example.com+5.pem  GOPATH  minio-binaries  nowip_hosts.txt  tech_backend.jar
模板  图片  下载  桌面  aria2-config  cv_debug.log     example.com+5-key.pem  go                 math    navicat_reset   src
~ ·········································································································································  10:47:55
❯ ncat -lvp 1589 --ssl-key example.com+5-key.pem --ssl-cert example.com+5.pem 
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1589
Ncat: Listening on 0.0.0.0:1589
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:39156.
Ncat: Failed SSL connection from 127.0.0.1: error:00000000:lib(0):func(0):reason(0)

mkcert 自动生成并安装一个本地 CA 到 root stores，并且生成 locally-trusted 证书。mkcert 不会自动使用证书来配置服务器，不过，这取决于你。

安装

Warning: mkcert 自动生成的 rootCA-key.pem 文件提供了完整的能力来拦截你机器上的安全请求。请不要分享它。

macOS

$ brew install mkcert
$ brew install nss # 如果用 Firefox 的话

Linux

在 Linux 上，首先要安装 certutil

$ sudo apt install libnss3-tools
#    -or-
$ sudo yum install nss-tools
#    -or-
$ sudo pacman -S nss
#    -or-
$ sudo zypper install mozilla-nss-tools

然后可以使用 Homebrew on Linux 来安装。

$ brew install mkcert

或者从源码构建（要求 Go 1.13+）

git clone https://github.com/FiloSottile/mkcert && cd mkcert
go build -ldflags "-X main.Version=$(git describe --tags)"

又或者使用预构建的二进制文件。

$ curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
$ chmod +x mkcert-v*-linux-amd64
$ sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert

对于 Arch Linux 用户（比如我），mkcert 在 Arch Linux 官方仓库中可用。

$ sudo pacman -S mkcert

Windows

使用 Chocolatey

$ choco install mkcert

或者使用 Scoop

$ scoop bucket add extras
$ scoop install mkcert

或者从源码构建（要求 Go 1.10+），或者使用预构建的二进制文件。

如果遇到权限问题，请使用管理员运行 mkcert

支持的 root stores

mkcert 支持以下 root stores：

macOS system store
Windows system store
Linux 发行版提供
- update-ca-trust （Fedora，RHEL，CentOS）或者
- update-ca-certificates （Ubuntu，Debian，OpenSUSE，SLES）或者
- trust （Arch）
Firefox （仅 macOS 和 Linux）
Chrome 和 Chromium
Java（当 JAVA_HOME 被设置时）