1 | # devcert - Development SSL made easy
|
2 |
|
3 | So, running a local HTTPS server usually sucks. There's a range of approaches,
|
4 | each with their own tradeoff. The common one, using self-signed certificates,
|
5 | means having to ignore scary browser warnings for each project.
|
6 |
|
7 | devcert makes the process easy. Want a private key and certificate file to use
|
8 | with your server? Just ask:
|
9 |
|
10 | ```js
|
11 | import { createServer } from 'https';
|
12 | import * as express from 'express';
|
13 | import getDevelopmentCertificate from 'devcert';
|
14 |
|
15 | async function buildMyApp() {
|
16 | let app = express();
|
17 |
|
18 | app.get('/', function (req, res) {
|
19 | res.send('Hello Secure World!');
|
20 | });
|
21 |
|
22 | let ssl;
|
23 | if (process.env.NODE_ENV === 'development') {
|
24 | ssl = await getDevelopmentCertificate('my-app', { installCertutil: true });
|
25 | } else {
|
26 | ssl = // load production ssl ...
|
27 | }
|
28 |
|
29 | return createServer(ssl, app).listen(3000);
|
30 | }
|
31 | ```
|
32 |
|
33 | Now open https://localhost:3000 and voila - your page loads with no scary
|
34 | warnings or hoops to jump through.
|
35 |
|
36 | > Certificates are cached by name, so two calls for
|
37 | `getDevelopmentCertificate('foo')` will return the same key and certificate.
|
38 |
|
39 | ### installCertutil option
|
40 |
|
41 | devcert currently takes a single option: `installCertutil`. If true, devcert
|
42 | will attempt to install some software necessary to tell Firefox (and Chrome on
|
43 | Linux) to trust your development certificates. This is not required, but without
|
44 | it, you'll need to tell Firefox to trust these certificates manually:
|
45 |
|
46 | Firefox provides a point-and-click wizard for importing and trusting a
|
47 | certificate, so if you don't provide `installCertutil: true` to devcert, we'll
|
48 | instead open Firefox and kick off this wizard for you. Simply follow the prompts
|
49 | to trust the certificate. **Reminder: you'll only need to do this once per
|
50 | machine**
|
51 |
|
52 | **Note:** Chrome on Linux **requires** `installCertutil: true`, or else you'll
|
53 | face the scary browser warnings every time. Unfortunately, there's no way to
|
54 | tell Chrome on Linux to trust a certificate without install certutil.
|
55 |
|
56 | The software installed varies by OS:
|
57 |
|
58 | * Mac: `brew install nss`
|
59 | * Linux: `apt install libnss3-tools`
|
60 | * Windows: N/A
|
61 |
|
62 | ## How it works
|
63 |
|
64 | When you ask for a development certificate, devcert will first check to see if
|
65 | it has run on this machine before. If not, it will create a root certificate
|
66 | authority and add it to your OS and various browser trust stores. You'll likely
|
67 | see password prompts from your OS at this point to authorize the new root CA.
|
68 | This is the only time you'll see these prompts.
|
69 |
|
70 | This root certificate authority allows devcert to create a new SSL certificate
|
71 | whenever you want without needing to ask for elevated permissions again. It also
|
72 | ensures that browsers won't show scary warnings about untrusted certificates,
|
73 | since your OS and browsers will now trust devcert's certificates. The root CA
|
74 | certificate is unique to your machine only, and is generated on-the-fly when it
|
75 | is installed.
|
76 |
|
77 | ## License
|
78 |
|
79 | MIT © [Dave Wasmer](http://davewasmer.com)
|