Skip to content


Repository files navigation

Mkcert is a web service that allows you to build customised TLS trust stores.

Currently mkcert is just an API with no pretty frontend. That's in the works.


mkcert has the following endpoints:

GET /labels/

Returns a JSON object containing one key (Certificates) whose value is a list of all the certificate labels in the default trust store. Each of the items in the list can be passed to the other API endpoints to refer to a certificate.

GET /generate/<certs>

Builds a PEM file containing only the root certificates specified. The format of <certs> is a +-separated string. This string will be used to perform 'fuzzy-ish' matching to certificate labels. For example, if one of your <certs> strings is comodo, any label that contains the sequence of characters comodo (case-insensitively) will match.

Therefore, to build a .pem file that contains any GeoTrust certificate and any QuoVadis certificate, you would issue a GET request to /generate/geotrust+quovadis

The response to this request has the body formatted exactly like a .pem file, suitable for saving immediately.

GET /generate/all/except/<certs>

Builds a PEM file containing all root certificates except the root certificates specified. The format of <certs> is a +-separated string. This string will be used to perform 'fuzzy-ish' mapping to certificate labels. For example, if one of your <certs> strings is comodo, any label that contains the sequence of characters comodo (case-insensitively) will match.

Therefore, to build a .pem file that contains everything but any GeoTrust certificates and any QuoVadis certificates, you would issue a GET request to /generate/all/except/geotrust+quovadis.

The response to this request has the body formatted exactly like a .pem file, suitable for saving immediately.

POST /generate/

Builds a PEM file containing only the root certificates specified. The root certs are specified in the request body. The format of the request body is a JSON list of exact labels to include. That is, to generate a .pem file that contains only the "GeoTrust Global CA" and the "QuoVadis Root CA", you would POST the following body:

["GeoTrust Global CA", "QuoVadis Root CA"]

The response to this request has the body formatted exactly like a .pem file, suitable for saving immediately.

POST /generate/all/except/

Builds a PEM file containing all but the root certificates specified. The root certs are specified in the request body. The format of the request body is a JSON list of exact labels to include. That is, to generate a .pem file that contains all the certs except the "GeoTrust Global CA" and the "QuoVadis Root CA", you would POST the following body:

["GeoTrust Global CA", "QuoVadis Root CA"]

The response to this request has the body formatted exactly like a .pem file, suitable for saving immediately.

License is made available under the Apache 2.0 License. See LICENSE for more details.


Customised trust stores for you and your family.







No releases published


No packages published