A secure, modern web interface for managing SSL certificates using the mkcert CLI tool. Generate, download, and manage local development certificates with enterprise-grade security and an intuitive web interface.
- π Certificate Generation: Create certificates for multiple domains and IP addresses
- π‘ SCEP Service: Simple Certificate Enrollment Protocol for automatic device enrollment
- π‘οΈ Enterprise Security: Command injection protection, path traversal prevention, and comprehensive rate limiting
- π Multiple Formats: Generate PEM, CRT, and PFX (PKCS#12) certificates
- π Flexible Authentication: Basic auth and OpenID Connect SSO support
- π§ Email Notifications: Automated SMTP alerts for expiring certificates
- π Certificate Monitoring: Automatic monitoring with configurable warning periods
- π¨ Modern UI: Dark/light themes with responsive design
- π³ Docker Ready: Complete containerization with docker-compose
Modern web interface showing certificate generation and management features
https://hub.docker.com/r/jeffcaldwellca/mkcertweb
# Clone and start
git clone https://github.com/jeffcaldwellca/mkcertWeb.git
cd mkcertWeb
docker-compose up -d
# Access at http://localhost:3000# Prerequisites: Node.js 16+, mkcert, OpenSSL
npm install
mkcert -install # First time only
npm startFor detailed setup instructions, see DOCKER.md
# Server
PORT=3000
ENABLE_HTTPS=true
HTTPS_PORT=3443
# Authentication
ENABLE_AUTH=true
AUTH_USERNAME=admin
AUTH_PASSWORD=your-password
SESSION_SECRET=your-random-secret
# OpenID Connect (Optional)
ENABLE_OIDC=false
OIDC_ISSUER=https://your-provider.com
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-secret
# Email Notifications
EMAIL_NOTIFICATIONS_ENABLED=true
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=your-email@domain.com
SMTP_PASSWORD=your-app-password
EMAIL_FROM=mkcert@yourcompany.com
EMAIL_TO=admin@company.com,ops@company.com
# Certificate Monitoring
CERT_MONITORING_ENABLED=true
CERT_CHECK_INTERVAL=0 8 * * * # Daily at 8 AM
CERT_WARNING_DAYS=30
CERT_CRITICAL_DAYS=7Common SMTP Providers:
- Gmail:
smtp.gmail.com:587(use App Password) - Outlook:
smtp-mail.outlook.com:587 - Exchange:
mail.yourcompany.com:587
See .env.example for all configuration options.
- Access
http://localhost:3000 - Login with configured credentials (default: admin/admin)
- Enter domains (one per line) and select format
- Download certificates in PEM, CRT, or PFX format
- Manage certificates: view, archive, or restore
Built-in SCEP (Simple Certificate Enrollment Protocol) server for automatic certificate enrollment on iOS, macOS, Windows, and other SCEP-compatible devices.
- Automatic Enrollment: Devices can automatically request certificates
- Challenge Authentication: Secure enrollment with time-limited challenge passwords
- Standard Compliance: Implements GetCACert and GetCACaps operations
- Web Management:
/scep.htmlinterface for managing SCEP operations
For detailed SCEP configuration, see SCEP.md
- Command Injection Protection: Strict allowlist-based command validation
- Path Traversal Prevention: Comprehensive file access validation
- Input Sanitization: All user inputs validated and sanitized
- Filename Validation: Prevents malicious filename patterns and null byte attacks
- CLI Operations: 10 per 15 minutes
- API Requests: 100 per 15 minutes
- Authentication: 5 attempts per 15 minutes
- General Access: 200 requests per 15 minutes
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/status |
System status and mkcert installation |
POST |
/api/generate |
Generate new certificates |
GET |
/api/certificates |
List all certificates |
GET |
/download/:filename |
Download certificate files |
GET |
/api/email/status |
Email configuration status |
POST |
/api/email/test |
Send test email |
GET |
/api/monitoring/status |
Certificate monitoring status |
GET |
/api/monitoring/expiring |
List expiring certificates |
Example:
curl -X POST http://localhost:3000/api/generate \
-H "Content-Type: application/json" \
-d '{"domains":["localhost","127.0.0.1"],"format":"pem"}'mkcertWeb/
βββ server.js # Main application entry point
βββ src/
β βββ config/ # Configuration management
β βββ security/ # Security utilities
β βββ middleware/ # Express middleware
β βββ routes/ # Route handlers
β βββ services/ # Email and monitoring services
β βββ utils/ # Utility functions
βββ public/ # Frontend static assets
βββ certificates/ # Certificate storage
βββ .env.example # Environment configuration template
- View Details: Domain coverage, expiry dates, file sizes
- Download: Individual files, ZIP bundles, or PFX format
- PFX Generation: Create password-protected PKCS#12 files on-demand
- Delete: Remove certificates (root certificates are protected)
- System Status: View Root CA information and installation status
# Clone and setup
git clone https://github.com/jeffcaldwellca/mkcertWeb.git
cd mkcertWeb
npm install
mkcert -install # First time only
# Development modes
npm start # HTTP only
npm run dev # HTTP with auto-restart
npm run https-dev # HTTPS with auto-restart# Copy example configuration
cp .env.example .env
# Edit .env file
ENABLE_AUTH=true
AUTH_USERNAME=your-username
AUTH_PASSWORD=your-secure-password
SESSION_SECRET=your-very-long-random-secret-keyNote: Always use a strong SESSION_SECRET in production and enable HTTPS when authentication is enabled.
| Issue | Solution |
|---|---|
| mkcert not found | which mkcert && mkcert -version |
| Permission denied | sudo chown -R $(whoami):$(whoami) certificates/ |
| Port already in use | PORT=3001 npm start |
| CA installation issues | mkcert -install && ls -la $(mkcert -CAROOT) |
| Browser trust issues | Clear cache, restart browser after CA installation |
- Fork the repository
- Create a feature branch:
git checkout -b feature/new-feature - Commit changes:
git commit -am 'Add new feature' - Push to branch:
git push origin feature/new-feature - Submit a pull request
This project is licensed under the GPLv3 License - see the LICENSE file for details.
- mkcert - Simple tool for making locally-trusted development certificates
- Express.js - Web application framework
- Node.js - JavaScript runtime
- π Issues: GitHub Issues
- π Documentation: README.md, DOCKER.md, SCEP.md
- π¬ Discussions: GitHub Discussions
