Skip to content

Releases: FiloSottile/mkcert

Firefox Snap support for Ubuntu 22.04

26 Apr 17:51
Choose a tag to compare

Firefox packaged in a Snap, which is the default browser of Ubuntu 22.04, is now supported ✅

Fixed a crash when a CSR doesn't have SANs 💥

Calling mkcert with no arguments only prints the help text 🤫

Pre-built binaries for windows/arm64 and darwin/arm64 🧱

Pre-built binaries are now available at stable URLs like these 🔗

Cleaned up EKUs

25 Nov 13:16
Choose a tag to compare

The EKU logic is now simpler, and it follows the following rules

  • if an IP address, DNS name, or URI SAN is present, serverAuth is included
  • if -client is used, clientAuth is included
  • if an email address SAN in present, emailProtection is included

Certificate generation based on CSRs is now consistent with standard certificate generation.

Releases are now built from GitHub Actions.

It's been a while

26 Oct 00:04
Choose a tag to compare
  • Reduce certificate lifetime to 2 years and 3 months
  • Detect various flavors of Firefox (#225, #280)
  • Build release binary for linux/arm64 (#284)

The Go import path of the module is now, which should only affect users installing the tool with go get, which was never a recommended installation method.

The little things

09 Nov 23:29
Choose a tag to compare

Note: packagers building from source now need to set the version like -ldflags "-X main.Version=$VERSION"

  • Use sudo when necessary to install in system-wide NSS stores (#192)
  • Add a -version flag (#191)
  • Speed up macOS execution by 4x for most users (#135)
  • Minor usability improvements (#182, #178, #188)

macOS Catalina compatibility, URL and email SANs, and more

16 Aug 21:29
Choose a tag to compare

macOS 10.15 Catalina introduced certificate lifespan limits which block mkcert certificates. As a temporary measure, mkcert certificates now have a fixed notBefore date of June 1st, 2019. Once the ACME server is implemented, certificate lifespan will be shortened to 3 months. (#174)

Certificates generated by previous versions of mkcert after July 1st, 2019 will not work on macOS 10.15 Catalina, and will have to be regenerated. The root CA is unaffected and there is no need to rerun mkcert -install.

URL (#166) and email (for S/MIME, #152) SANs are now supported.

Client certificates are now created with a -client filename suffix, and they claim the serverAuth EKU as well as the clientAuth one.

The certificate subject now includes the full user name, like filippo@Bistromath.local (Filippo Valsorda).

SLES, OpenSUSE (#162), Snapcraft (#116), and CentOS 7 (#120) are now supported.

Linux release binaries are now fully static, and will work regardless of the system libc. (#169)

Miscellaneous advanced features

03 Feb 00:02
Choose a tag to compare

🔬 New advanced options:

  • -ecdsa to generate ECDSA private keys
  • -client to generate client certificates
  • -csr to sign certificate signing requests
  • $TRUST_STORES to select what stores to install into

Also, in other news:

  • Add "Firefox" support on macOS
  • Set the CommonName when generating PKCS#12 files for IIS

-cert-file, -key-file and -p12-file

07 Jan 00:14
Choose a tag to compare
  • Add -cert-file, -key-file and -p12-file flags
  • Add some helpful lines to docs and output
  • Fix Java failure modes on Windows

Support certutil as installed by MacPorts

25 Aug 22:29
Choose a tag to compare
nss: use certutil from $PATH if found on macOS (#71)

Fixes #70

Thanks to @hostep for testing and fixing the patch.

Four new minor supported targets

19 Aug 23:12
Choose a tag to compare
  • Support the Arch system root store
  • Support Java on Windows
  • Support the JRE root store
  • Support multiple CAs on Linux

Windows, Java and PKCS#12

13 Aug 04:39
Choose a tag to compare

A round of new supported root stores and formats, all contributions from the community.