mkcert Web UI

mkcert Web UI provides a browser-based interface for the mkcert CLI to create and manage locally-trusted development TLS/SSL certificates. It exposes certificate generation, downloads, monitoring, and a built-in SCEP enrollment service while enforcing input validation and rate limits for security.

Key Features

• Certificate generation for multiple domains and IPs with PEM, CRT and password-protected PFX (PKCS#12) output
• Built-in SCEP server supporting GetCACert and GetCACaps for automated device enrollment and challenge-based authentication
• Enterprise-grade protections: allowlist command validation, path traversal prevention, filename validation, input sanitization, and multi-tier rate limiting
• Flexible authentication: basic auth and OpenID Connect SSO support; session secret configuration
• Certificate monitoring with configurable warning/critical thresholds and automated email notifications for expiring certificates
• Docker and docker-compose deployment support and a simple HTTP API for generate, list, download, and monitoring endpoints

Use Cases

• Centralize generation and distribution of development TLS certificates for local networks and developer teams
• Automate certificate provisioning on devices using the SCEP service for managed device enrollment
• Monitor certificate expiry across development assets and send email alerts to administrators

Limitations and Considerations

• Requires the mkcert CLI and local trust of the mkcert root CA; initial root CA installation is a prerequisite
• No built-in hardware security module (HSM) or remote CA integration; keys and certificates are stored on local filesystem by default
• Exposing SCEP or the management UI publicly requires careful network and authentication configuration to avoid security risks

mkcert Web UI is suited for teams and developers who need an accessible UI to run mkcert at scale in development environments. It simplifies certificate workflows while retaining the underlying mkcert trust model and operational constraints.