localcert: SSL Certificate Generation and Trust
Generates and trusts self-signed SSL certificates for local development. Based off the popular mkcert library for GoLang.
In order to install certificates in NSS browsers such as Firefox, the Mozilla certutil is required. You can install it with the following:
brew install certutil
sudo apt install libnss3-tools-or-sudo yum install nss-tools-or-sudo pacman -S nss-or-sudo zypper install mozilla-nss-tools
Installation to Firefox is not yet supported on Windows. Localcert will only install the certificate to the system store.
Import and instantiate the the localcert module:
var localcert =var certgen =
Generate the certificate:
certgenconst certPaths = await certgen;
Note, you can pass a "certPath" to the saveCertificate method. Without it, localcert will save certificates to ~/.localcert
You can also load an existing certificate with the following:
const certPaths = certgen;
Next, trust the certificate either in the system store, NSS browsers such as Firefox and Chrome, or both:
To remove the certificate trusts, locate the certificate to remove and run the following:
For the following functions, you can pass a second, optional, parameter of
execute (bool) which defaults to true. If false, the command called will simply return the command parameters and not execute. Hopefully this will be handy in applications that may have wrapped sudo and/or other system calls.
Some utility functions
Determine if the user has certutil installed:
Determine if the user has any NSS browsers that need to be trusted:
Verify if the current certificate has been trusted in the system store
- Fix inconsistencies with package-lock
- Move to getflywheel organization
- Remove dependencies on native node modules
- Ensure we're properly verifying the certificate to build NSS commands
- Fix default certPath when removing NSS trusts
- Improve readme documentation
- Fix bug where commands weren't returned from nss de-trust
- Make certPath optional on most functions
- Setup testing
- Use npm instead of yarn
- Fix filename when generating new key
- Minor refactor
- Savecertificate method is now properly async.
- Use which package to avoid errors.
- Add ability to verify system store on host machine has been trusted.
- We need to escape paths for the child_process.exec execution
- Send the correct database string to the NSS insert method.
- export NSS command paths without normalized paths
- Add helper function to retrieve NSS operations
- Add ability to not execute NSS trust commands
- Generated cert should not be listed as a CA.
- Properly escape spaces in all paths for NSS browser trust
- Don't escape Mac and Linux paths unless we have to
- Add ability to avoid direct execution of sudo commands with optional "execute" parameter.
- Ensure spaces are accounted for in Linux and Mac paths
- Ensure certutil path is populated in Linux
- Cleanout some unused variables after the port from mkcert
- Add ability to load an existing certificate for trusting
- Initial release