There's already a root requirement so that `mkcert -install` can deploy to the t... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		regecks on Jan 7, 2019 \| parent \| context \| favorite \| on: Show HN: Mkcert – Valid HTTPS certificates for loc... There's already a root requirement so that `mkcert -install` can deploy to the trust store. The problem is that after this point, the trust store is totally undermined, because the new CA's private key sits around unprotected. I feel like this is a similar pitfall to how if you add a user to the `docker` group for convenience, you (perhaps unknowingly) gave that user root access to the host. With this minor change, mkcert still retains its full function and convenience. Just type your password once in a blue moon when you need a certificate for a new fake real domain.

grahamedgecombe on Jan 7, 2019 | [–]

I don't think `mkcert -install` requires root in all cases. The NSS trust store is stored in ~/.pki/nssdb/ and can be written to without root.

vectorEQ on Jan 7, 2019 | | [–]

can you create/use a local CA as non-root too?

SomeHacker44 on Jan 8, 2019 | [–]

Is there no passphrase on these private keys? Especially the local CA?

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact