Yes indeed, and you can do just that. The API server is open-source[1], and it's been Dockerized. Anyone who's really paranoid should absolutely run the server themselves.
That's great! Thanks for open sourcing it. I really don't think there's much value though if it's not self-hosted -- it just adds another point of failure to the CA system.
Edit: what if this were built into Firefox? Could the certificate manager accommodate some UI improvements and an export feature?
Re building into Firefox: It absolutely could, and I'd love it if someone went ahead and did it. That would be a big coup for Mozilla and it simply can't be that hard to do. Hell, the Chrome guys could do it, mkcert is build on one of Adam Langley's tools anyway.
As for self-hosting, I think anyone who wants to deploy mkcert in anger should self-host, and I believe I've made it trivial to do that. There are some steps I can still take to improve this: I want to pin Mozilla's cert in the client so that it can't be MITM'd, for example.
7 comments
[ 2.8 ms ] story [ 25.4 ms ] threadBut seriously, great idea, but wouldn't this be better as a command-line tool installable via a package manager? At least then it could be audited.
[1]: https://github.com/Lukasa/mkcert
Edit: what if this were built into Firefox? Could the certificate manager accommodate some UI improvements and an export feature?
As for self-hosting, I think anyone who wants to deploy mkcert in anger should self-host, and I believe I've made it trivial to do that. There are some steps I can still take to improve this: I want to pin Mozilla's cert in the client so that it can't be MITM'd, for example.
Or you could just download debian's ca-certificates package and cat together all the .crt files you choose into a .pem. Much quicker & simpler.