Take control of your certificate trust store. No excuses.
TLS and SSL are vital for web security, but they're useless unless you have a trusted root certificates list. Root certificates identify who you trust unconditionally as well as who you trust to authenticate the legitimate owners of a website.
Modern browsers are making it easier to evaluate your list of trusted root certificate authorities. Yet, finding and maintaining this list for other non-browser tools can be a nightmare.
Projects like certifi.io have taken steps towards making this easier by providing Mozilla's list of trusted root certificates in a format that can be used by non-browser tools. However, it's far from perfect — it means you must trust everyone Mozilla trusts.
mkcert.org is the next step in letting you, not just Mozilla or other browser developers, decide who you trust. We focus on creating and maintaining methods for you to create your own custom list of root certificate authorities that you trust.
mkcert.org provides a simple, clear, wget-able API for you to download PEM files for use with any tool that uses OpenSSL.
If you only want to trust Let's Encrypt and DigiCert, for example, you can get your custom PEM file by using the following cURL command:
curl https://mkcert.org/generate/dst+digicertAlternatively, if you want to trust everyone except those two entities, you can get your PEM file by using the following cURL command:
curl https://mkcert.org/generate/all/except/dst+digicertAnd if you just want to see all the certificates we have in our store, try this to view them all:
curl https://mkcert.org/labels/The simple API is great, but the fuzzy matching can lead to unexpected results if you're not careful with your search strings. If you know exactly what certificates you want to include or exclude, we support that as well.
We have two endpoints: /generate/ and /generate/all/except/. To mention which certificates you'd like to include or exclude, provide a JSON-encoded list of exact certificate labels in the request body. These labels must exactly match the labels returned by the /labels/ endpoint.
For example, to build a PEM file containing the certifiates "DigiCert Global Root G3" and "GTE CyberTrust Global Root", use the following command:
curl -d '["DigiCert Global Root G3", "GTE CyberTrust Global Root"]' https://mkcert.org/generate/Similarly, to build a PEM file containing all the certificates but those, use this command:
curl -d '["DigiCert Global Root G3", "GTE CyberTrust Global Root"]' https://mkcert.org/generate/all/except/Once a day, mkcert.org obtains the latest list of Mozilla's trusted root CA certificates. It parses the file, removes anything explicitly marked as untrusted, and then keeps the data in memory.
You can then query the data, view all the certificates, and choose which ones you'd like to trust. You can then use our API calls to build your own customised PEM files, containing only the certificates you'd like to trust.
You can then pass these PEM files to whatever tools you use, ensuring that they're only trusting exactly who you want to trust.
Your caution is commendable and understandable. The code that backs mkcert.org is totally open source, available to anyone. You can audit the code, and we invite you to do just that. If you still prefer, or your application requires, to limit trust to your organization, we encourage you to download the source, build it yourself, and run the service on your own hardware.
We know security can be complicated and confusing, and you have specific security needs. We offer you a way to simplify without sacrificing safety, reliability, or predictablity. Think of mkcert.org as a little artisan shop that makes custom trust stores. Just for you.