This article is about adding your own root CA certificate to your local root trust stores. And by doing that all the certificates (intermediate or leaf) signed by that is automatically trusted because of the "chain of trust". I.e., when you have created one root certificate with mkcert you only have to add that once to the trust stores. And when you need to create new certificates you can do so successfully as long as those are signed by your root certificate.

What I want to achieve looks something like this (rendered by the amazing plantuml):

There's a lot of different CA (Certificate Authority) root trust stores, not all applications uses the system's, e.g., macOS Trust Store. So if you want some applications to trust your certificate you need to add it to those particular store. E.g., if you're use Google Chrome, you're good as of now, because it uses the system's store. But they are planning on creating their own in the future. Read about their "Root Program" here.

Out of scope of this article

I present multiple ways of installing certificates:

On all the commands below I use the $CERT variable which point to my root CA certificate I want to trust:


Install certificates using step

Smallstep supports adding root certs to multiple trust stores. This is a lot easier than doing it manually. As of now it supports the following stores:

brew install step
step certificate install --all $CERT

Even though I got an error when installing cert to Firefox... But if it works it will save you a lot of time 🙂