devcert is a local TLS certificate management tool for development environments. It generates a Certificate Authority (CA), installs it into system and browser trust stores, and signs TLS certificates for local domains so that browsers trust your development HTTPS servers without security warnings.
Depending on which trust stores you want to use, the following tools must be available on your system:
- System store: requires
sudoon Linux and macOS, or administrator privileges on Windows - NSS (Firefox, Chromium on Linux): requires
certutil, installable vialibnss3-toolson Debian/Ubuntu ornss-toolson Fedora - Java: requires
keytool, which is bundled with any JDK; setJAVA_HOMEor ensurekeytoolis onPATH
On Linux and macOS, the quickest way to install devcert is with the installer script:
curl -fsSL https://raw.githubusercontent.com/melvinotieno/devcert/main/install.sh | shThe script detects your OS and architecture, downloads the appropriate binary from the latest release, verifies its SHA-256 checksum, and installs it to /usr/local/bin.
To install a specific version:
curl -fsSL https://raw.githubusercontent.com/melvinotieno/devcert/main/install.sh | sh -s -- 0.2.0Download the binary for your platform from the releases page and place it in a directory on your PATH.
| Platform | Binary |
|---|---|
| Linux (x86_64) | devcert-linux-amd64 |
| Linux (ARM64) | devcert-linux-arm64 |
| macOS (Apple Silicon) | devcert-darwin-arm64 |
| macOS (Intel) | devcert-darwin-amd64 |
| Windows (x86_64) | devcert-windows-amd64.exe |
- Install the devcert CA and configure trust stores:
devcert install- In a project directory, create your first certificate:
devcert init- Point your development server at the generated key and certificate files (
.devcert/<name>.keyand.devcert/<name>.crt).
Sets up devcert for the first time or repairs an existing installation.
On first run, you are prompted to select which trust stores to use (System, NSS, Java) and to choose between a global CA (shared across all projects, stored in ~/.devcert/) or per-project CAs (each stored in the project's .devcert/ directory). The CA is then generated and installed into the selected trust stores.
On subsequent runs, the command verifies the CA is still valid and re-installs it if needed.
Initializes the current directory as a devcert project. Requires a CA to be set up first via devcert install if using a global CA.
The command prompts for a certificate name and a list of hosts, signs a leaf certificate, and writes the configuration to .devcert.toml. Certificate files are placed in a .devcert/ directory in the project root.
Hosts can be:
- Domain names:
localhost,myapp.test,*.example.com - IP addresses:
127.0.0.1,::1 - Email addresses:
user@example.com - URIs:
https://example.com
Regenerates all leaf certificates listed in the current project's .devcert.toml without changing their configuration. Use this to refresh certificates before they expire.
Removes the project CA from all trust stores and deletes its files. After untrusting the CA, devcert lists the leaf certificates that were signed by it (which are now invalid) and prompts whether to delete those files as well.
Located at ~/.devcert/config.toml. If the DEVCERT_HOME environment variable is set, that directory is used instead of ~/.devcert/.
[ca]
# Where the CA is stored: "global" (default) or "project"
# "global" uses a single CA shared across all projects, stored in ~/.devcert/
# "project" creates a dedicated CA per project, stored in .devcert/
root = "global"
[trust]
# Which trust stores to manage. Valid values: "system", "nss", "java"
# If empty, all available backends are used.
stores = ["system", "nss"]
[trust.java]
# Override the Java home directory used to locate keytool and cacerts.
# Defaults to auto-detection via JAVA_HOME or PATH.
home = "/usr/lib/jvm/java-21"
[trust.nss]
# Explicit list of NSS profile directories to update.
# Defaults to auto-discovery of Firefox and Chromium profiles.
profile_dirs = ["/home/user/.mozilla/firefox/abc.default"]The CA registry is stored at ~/.devcert/registry.json and tracks all CAs that devcert has created.
Located at .devcert.toml in the project root. Created by devcert init and updated by subsequent runs.
[[cert]]
name = "myapp"
hosts = ["localhost", "127.0.0.1", "myapp.test"]
key_path = ".devcert/myapp.key"
cert_path = ".devcert/myapp.crt"
[[cert]]
name = "api"
hosts = ["api.test"]
key_path = ".devcert/api.key"
cert_path = ".devcert/api.crt"Multiple [[cert]] entries are supported. Each defines a separate leaf certificate. The hosts field accepts the same types as devcert init: domain names, IP addresses, email addresses, and URIs.
| Platform | System store | NSS | Java |
|---|---|---|---|
| Linux | Yes (requires sudo) | Yes (Firefox, Chromium) | Yes |
| macOS | Yes (requires sudo) | Yes (Firefox) | Yes |
| Windows | Yes (requires elevation) | Yes (Firefox only) | Yes |
On Windows, Chrome and Chromium use the System trust store rather than an NSS database, so only Firefox profiles are relevant for the NSS backend on that platform.
BSD-3-Clause. See LICENSE.