THU.JUN.18
2026
23:32:48
← back to modules MODULE · 01 · PHP
0 / 10 chapters complete · 0%

HTTPS — Local SSL with mkcert

Get a green padlock on your local sites. Most modern web APIs (camera, mic, service workers) require HTTPS even for dev.
mkcert creates your own private Certificate Authority on the machine, tells browsers to trust it, then signs certs your browsers accept. Magic for local dev.

Why mkcert (not self-signed)

Self-signed certs work but browsers scream red warnings. mkcert creates certs that browsers actually trust. Quick decode of what happens:

  • You run mkcert -install once
  • It creates a local CA (Certificate Authority) on your machine
  • It tells your browsers "trust certs signed by this CA"
  • Now every cert mkcert creates gets the green padlock, no warnings

You're basically running your own private mini-CA out of your bedroom. Cool flex.

Step 1: Install mkcert

sudo apt install mkcert libnss3-tools -y

libnss3-tools = lets mkcert install certs into Firefox's separate trust store too.

Step 2: Install the local root CA

mkcert -install

This single command adds mkcert's root cert to your system trust store, Firefox, and Chromium. Browsers on this machine now auto-trust anything mkcert signs.

Step 3: Generate a cert for your local domains

sudo mkdir -p /etc/apache2/ssl
cd /etc/apache2/ssl
sudo mkcert medtrack.local sandbox.local localhost 192.168.0.19

Rename for sanity:

sudo mv medtrack.local+3.pem      home-dev.crt
sudo mv medtrack.local+3-key.pem  home-dev.key
sudo chmod 640 home-dev.key

Step 4: Enable SSL in Apache

sudo a2enmod ssl
sudo systemctl restart apache2

Step 5: Create an HTTPS vhost

sudo nano /etc/apache2/sites-available/medtrack-ssl.conf
Paste: 
<VirtualHost *:443>
    ServerName medtrack.local
    DocumentRoot /home/erictey/server/medtrack

    SSLEngine on
    SSLCertificateFile      /etc/apache2/ssl/home-dev.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/home-dev.key

    <Directory /home/erictey/server/medtrack>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog \${APACHE_LOG_DIR}/medtrack-ssl-error.log
    CustomLog \${APACHE_LOG_DIR}/medtrack-ssl-access.log combined
</VirtualHost>
Enable, validate, reload: 
sudo a2ensite medtrack-ssl
sudo apache2ctl -t
sudo systemctl reload apache2
From your Lubuntu desktop browser (or any browser where mkcert -install ran), hit https://medtrack.local/. You should see a green padlock with no warning. Click the padlock — it'll say "Connection is secure." That's real HTTPS on your home network.

Force HTTP → HTTPS

Edit the plain HTTP vhost to redirect:

<VirtualHost *:80>
    ServerName medtrack.local
    Redirect permanent / https://medtrack.local/
</VirtualHost>

Reload Apache. Plain HTTP now auto-bounces to HTTPS. Same pattern every production site uses.

Trust the cert on other devices

The mkcert root CA is only trusted on the machine that ran mkcert -install. To trust it elsewhere:

mkcert -CAROOT

That prints the folder path. Copy the file rootCA.pem to each device, then install:

  • Windows: double-click → Install → Local Machine → "Trusted Root Certification Authorities"
  • macOS: double-click → Keychain → set to "Always Trust" for SSL
  • iOS: AirDrop the file → install profile → Settings → General → About → Certificate Trust Settings → enable
  • Android: Settings → Security → Install certificate → CA cert. (Chrome on Android 7+ only trusts system CAs, can be annoying)

Build: Full HTTPS Migration

Goal: every project on your server runs over HTTPS with a green padlock.

  1. Re-run mkcert with all your domains: sudo mkcert medtrack.local sandbox.local localhost 192.168.0.19
  2. Move the new files to /etc/apache2/ssl/ with the names home-dev.crt and home-dev.key
  3. Create an HTTPS vhost for each project (copy + rename medtrack-ssl.conf as template)
  4. Add HTTP → HTTPS redirects on each plain vhost
  5. Verify each domain shows the green padlock
  6. Copy rootCA.pem to your Windows machine and install it
  7. Test from Windows browser: https://medtrack.local/ should show green padlock
This is local-dev only. For anything internet-facing (port forwarding etc.), use Let's Encrypt via certbot — free, real public CA, 90-day auto-renewing. Different tools, different tab someday.