| 1 | # devcert - Development SSL made easy
|
| 2 |
|
| 3 | So, running a local HTTPS server usually sucks. There's a range of approaches,
|
| 4 | each with their own tradeoff. The common one, using self-signed certificates,
|
| 5 | means having to ignore scary browser warnings for each project.
|
| 6 |
|
| 7 | devcert makes the process easy. Want a private key and certificate file to use
|
| 8 | with your server? Just ask:
|
| 9 |
|
| 10 | ```js
|
| 11 | import { createServer } from 'https';
|
| 12 | import * as express from 'express';
|
| 13 | import getDevelopmentCertificate from 'devcert';
|
| 14 |
|
| 15 | async function buildMyApp() {
|
| 16 | let app = express();
|
| 17 |
|
| 18 | app.get('/', function (req, res) {
|
| 19 | res.send('Hello Secure World!');
|
| 20 | });
|
| 21 |
|
| 22 | let ssl;
|
| 23 | if (process.env.NODE_ENV === 'development') {
|
| 24 | ssl = await getDevelopmentCertificate('my-app', { installCertutil: true });
|
| 25 | } else {
|
| 26 | ssl = // load production ssl ...
|
| 27 | }
|
| 28 |
|
| 29 | return createServer(ssl, app).listen(3000);
|
| 30 | }
|
| 31 | ```
|
| 32 |
|
| 33 | Now open https://localhost:3000 and voila - your page loads with no scary
|
| 34 | warnings or hoops to jump through.
|
| 35 |
|
| 36 | > Certificates are cached by name, so two calls for
|
| 37 | `getDevelopmentCertificate('foo')` will return the same key and certificate.
|
| 38 |
|
| 39 | ### installCertutil option
|
| 40 |
|
| 41 | devcert currently takes a single option: `installCertutil`. If true, devcert
|
| 42 | will attempt to install some software necessary to tell Firefox (and Chrome on
|
| 43 | Linux) to trust your development certificates. This is not required, but without
|
| 44 | it, you'll need to tell Firefox to trust these certificates manually:
|
| 45 |
|
| 46 | Firefox provides a point-and-click wizard for importing and trusting a
|
| 47 | certificate, so if you don't provide `installCertutil: true` to devcert, we'll
|
| 48 | instead open Firefox and kick off this wizard for you. Simply follow the prompts
|
| 49 | to trust the certificate. **Reminder: you'll only need to do this once per
|
| 50 | machine**
|
| 51 |
|
| 52 | **Note:** Chrome on Linux **requires** `installCertutil: true`, or else you'll
|
| 53 | face the scary browser warnings every time. Unfortunately, there's no way to
|
| 54 | tell Chrome on Linux to trust a certificate without install certutil.
|
| 55 |
|
| 56 | The software installed varies by OS:
|
| 57 |
|
| 58 | * Mac: `brew install nss`
|
| 59 | * Linux: `apt install libnss3-tools`
|
| 60 | * Windows: N/A
|
| 61 |
|
| 62 | ## How it works
|
| 63 |
|
| 64 | When you ask for a development certificate, devcert will first check to see if
|
| 65 | it has run on this machine before. If not, it will create a root certificate
|
| 66 | authority and add it to your OS and various browser trust stores. You'll likely
|
| 67 | see password prompts from your OS at this point to authorize the new root CA.
|
| 68 | This is the only time you'll see these prompts.
|
| 69 |
|
| 70 | This root certificate authority allows devcert to create a new SSL certificate
|
| 71 | whenever you want without needing to ask for elevated permissions again. It also
|
| 72 | ensures that browsers won't show scary warnings about untrusted certificates,
|
| 73 | since your OS and browsers will now trust devcert's certificates. The root CA
|
| 74 | certificate is unique to your machine only, and is generated on-the-fly when it
|
| 75 | is installed.
|
| 76 |
|
| 77 | ## License
|
| 78 |
|
| 79 | MIT © [Dave Wasmer](http://davewasmer.com)
|