The EKU logic is now simpler, and it follows the following rules
- if an IP address, DNS name, or URI SAN is present, serverAuth is included
-clientis used, clientAuth is included
- if an email address SAN in present, emailProtection is included
Certificate generation based on CSRs is now consistent with standard certificate generation.
Releases are now built from GitHub Actions.
- Reduce certificate lifetime to 2 years and 3 months
- Detect various flavors of Firefox (#225, #280)
- Build release binary for linux/arm64 (#284)
The Go import path of the module is now filippo.io/mkcert, which should only affect users installing the tool with
go get, which was never a recommended installation method.
Note: packagers building from source now need to set the version like
-ldflags "-X main.Version=$VERSION"
macOS 10.15 Catalina introduced certificate lifespan limits which block mkcert certificates. As a temporary measure, mkcert certificates now have a fixed notBefore date of June 1st, 2019. Once the ACME server is implemented, certificate lifespan will be shortened to 3 months. (#174)
Certificates generated by previous versions of mkcert after July 1st, 2019 will not work on macOS 10.15 Catalina, and will have to be regenerated. The root CA is unaffected and there is no need to rerun
Client certificates are now created with a
-client filename suffix, and they claim the serverAuth EKU as well as the clientAuth one.
The certificate subject now includes the full user name, like
filippo@Bistromath.local (Filippo Valsorda).
Linux release binaries are now fully static, and will work regardless of the system libc. (#169)
-ecdsato generate ECDSA private keys
-clientto generate client certificates
-csrto sign certificate signing requests
$TRUST_STORESto select what stores to install into
Also, in other news:
- Add "Firefox Nightly.app" support on macOS
- Set the CommonName when generating PKCS#12 files for IIS
- Add some helpful lines to docs and output
- Fix Java failure modes on Windows
nss: use certutil from $PATH if found on macOS (#71) Fixes #70 Thanks to @hostep for testing and fixing the patch.
- Support the Arch system root store
- Support Java on Windows
- Support the JRE root store
- Support multiple CAs on Linux
A round of new supported root stores and formats, all contributions from the community.