Security is no joke. mkcert.org takes security seriously—very seriously.
For this reason, the mkcert.org API is only available over HTTPS. If you attempt to use HTTP to access the API you'll be served a 403 Forbidden status code. If you attempt to reach this page over HTTP you'll be served a redirect, and an HSTS (HTTP Strict Transport Security) header will be sent to prevent you from trying to access this page over HTTP ever again.
HTTPS is used to obtain the certificate list from Mozilla as well.
These precautions make it extremely difficult to perform a Man-In-The-Middle (MITM) attack on mkcert.org. However, it's not impossible.
To protect yourself, we recommend storing the PEM file somewhere safe. By doing so, you strengthen your security and will avoid the need to repeatedly update the file. As a general guideline, you should only return once every few months to refresh the PEM file which updates expired or revoked certificates.
If you believe you've identified a vulnerability or security problem with either mkcert.org or mkcert, please report it responsibly. For security related problems, contact the maintainer using the email address provided on GitHub. For sensitive mail, encrypt with PGP using this PGP key.
mkcert.org is free, both as in speech and as in beer, now and always.
We believe that security should be accessible to everyone, and without ulterior motive. We will never advertise at you, we will never use tracking tools to follow you, and we will never profile your access via web server logs.
This commitment to privacy and security comes at a cost. Currently, we have very limited ability to respond personally to each bug. Please report bugs if you find them, and please know we do read and very much appreciate the reports. Please report issues in mkcert.org repo for website issues and mkcert repo for any API issues.
Contributions are welcome, as are feature requests.
The project owes a debt of gratitude to Adam Langley, whose work is the foundation on which this tool is built.
mkcert.org and the mkcert tool are maintained by Cory Benfield and other contributors.