local-ssl
Generate locally-trusted HTTPS certificates for development. Pure Rust, no OpenSSL dependency.
Installation
cargo install local-ssl
# Prerequisites (for system trust):
# macOS: (bundled)
# Linux: update-ca-certificates
# Windows: certutilQuick start
1
Initialize CA
$ sudo local-ssl init2
Generate cert
$ sudo local-ssl generate myapp.test3
Test HTTPS
$ curl --cacert /etc/local-ssl/ca-cert.pem https://myapp.test/4
Generate with SANs
$ sudo local-ssl generate api.test www.testCommands
local-ssl initInitialize CA and install system trustlocal-ssl generate <domains>Generate HTTPS certificates--outputlocal-ssl listList all generated certificateslocal-ssl show <domain>Show certificate detailslocal-ssl trustReinstall CA system trustlocal-ssl statusShow CA and certificate statuslocal-ssl check <domain>Check local cert or remote server (host:port)local-ssl telemetry statusView telemetry settingslocal-ssl telemetry enableEnable anonymous usage telemetrylocal-ssl telemetry disableDisable anonymous usage telemetryCA Management
The Certificate Authority is generated once and stored at /etc/local-ssl/. The CA certificate is valid for 10 years. Server certificates are valid for 1 year.
# Check CA status
local-ssl status
# Reinstall system trust
sudo local-ssl trust
# CA files:
# /etc/local-ssl/ca-key.pem
# /etc/local-ssl/ca-cert.pem
# /etc/local-ssl/certs/<domain>/Integration with local-dns
local-ssl pairs seamlessly with local-dns for complete local development infrastructure.
# 1. Add DNS entry
local-dns add myapp.test 127.0.0.1
# 2. Generate HTTPS cert
sudo local-ssl generate myapp.test
# 3. Access via HTTPS
curl https://myapp.test/
# 4. Your local server
node server.js --key /etc/local-ssl/certs/myapp.test/key.pem \
--cert /etc/local-ssl/certs/myapp.test/cert.pemSecurity Notes
All certificates generated by local-ssl are for local development only. The CA certificate should never be distributed or trusted outside your development machine.
The tool uses rcgen for certificate generation — a pure Rust implementation with no OpenSSL FFI dependency. Keys are stored as PEM files with 600 permissions.