Is it pssible to create ONE certificate to be used by all of my local development?

[Nefcanto]

I have a lot of websites and web apps. I'm using .local as my development TLD. For example:

• shop.local
• user.game.local
• api.geo.local
• admin.cars.local
• investor.brokerage.local
• ...

This list is not known beforehand, thus I can't use SAN.

But is there possible to create ONE and ONLY ONE general *.* certificate that can be used by all of these local domains?

[rfay]

mkcert -h shows you how to create a cert with many domain names, including wildcards.

$ mkcert example.com myapp.dev localhost 127.0.0.1 ::1 Generate "example.com+4.pem" and "example.com+4-key.pem".

Just list all of your domains there.

[Nefcanto]

Thank you @rfay for answering.

The point is, I don't know the name of the domains. Thus I can't list them there. Does this command work?

mkcert *.*

[rfay]

No, you can't create certs without knowing the names of the domains you're creating the certs for.

I maintain ddev though, that does all this for you on the fly (using mkcert). Maybe that would be an option for you.

But no, you cannot use any tool to create an "Accept-anything" cert. This is about certs and how they work, it's not about mkcert. You'd have to write your own browser and neuter its capabilities to do that. It's called "http" instead of "https".

[Nefcanto]

OK, thank you. I understood. There is no possibility for a universal wildcard certificate to be used for development.

This means that I have to automate the certificate creation process somehow so that for each project I won't be required to create a certificate, update the Nginx config file, and create an entry in local DNS.

[minecraftchest1]

You could try mkcert *.local. That should do a catch-all for everything under .local tld.

[Nefcanto]

@minecraftchest1 this is what I got:

Created a new certificate valid for the following names 📜

• ".local" Warning: many browsers don't support second-level wildcards like ".local" ⚠️

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.local ℹ️

The certificate is at "/Temp/Local/Certificate.pem" and the key at "/Temp/Local/Key.pem" ✅

It will expire on 25 November 2023 🗓

So, this is not practical.

[gaby]

This is not doable, you csn close the issue.

[harryqt]

You could try mkcert *.local. That should do a catch-all for everything under .local tld.

This doesn’t work.

[renatofrota]

You can create a cert for *.dev.localhost. It works and should resolve internally.

app1.dev.localhost app2.dev.localhost etc...

will be all covered.

you can use anything else instead dev if you prefer. it is there just to make a 3rd level wildcard (instead a 2nd level one) and get accepted by browsers.