tls-keygen
Advanced tools
Generate a self-signed TLS certificate and add it to the trusted certificate store.
Generates a self-signed, trusted TLS certificate that is accepted by browsers for localhost development.
The generated private key (key.pem) and public certificate (cert.pem) files are compatible with Node.js and most other servers.
The generated public certificate (cert.pem) file is added to the native certificate store on Windows, MacOS, and Linux for automatic HTTPS and HTTP/2 browser support.
| Chrome | Safari | Edge | Firefox | |
|---|---|---|---|---|
| MacOS | โ | โ | ||
| Windows | โ | โ | ||
| Linux | โ | โ |
Note: Linux support requires the certutil command to be installed. On Ubuntu and Debian, run: sudo apt-get install libnss3-tools
Easily use TLS in locally hosted websites. Using HTTP/2 or some web platform API's requires the page to be served from an https:// origin. This tool makes it easy to generate the necessary key & certificate files.
The generated certificates are not useful in production deployments on the public internet since they are self-signed and only for local addresses. However they could be used, in combination with local DNS hijacking (e.g. /etc/hosts overrides) to mimick production systems locally.
npx tls-keygen
npx tls-keygen "key.pem" "cert.pem" [--skip-entrust] [--add-san <name>]
The arguments key.pem and cert.pem are, optionally, the output destination filepaths for the TLS private key and public certificate respectively.
The --skip-entrust option generates the key & certificate pair without registering the certificate with the operating system certificate store.
The --add-san <name> option appends a single name for which this certificate is valid. The <name> value must be either a DNS hostname or IP address. This list is recorded in the certificate as the Subject Alternative Names (SAN).
| Type | Example |
|---|---|
| DNS | --add-san DNS:foo.local |
| IPv4 | --add-san IP:172.16.1.2 |
| IPv6 | --add-san IP:fe80::200:5aee:feaa:20a2 |
Key:
๐ /Users/seb/key.pem
Certificate:
๐ /Users/seb/cert.pem
Common Name:
- ๐ท localhost
Subject Alternative Names:
- ๐ท DNS:localhost
- ๐ท DNS:*.localhost
- ๐ท DNS:localhost.localdomain
- ๐ท IP:127.0.0.1
- ๐ท IP:0.0.0.0
- ๐ท IP:::1
- ๐ท IP:::
๐ Done!
keygen(options)const {keygen} = require('tls-keygen')
// Returns a promise that
// resolves with `key` and `cert` file paths.
const {key, cert} = await keygen({
// Default: ./key.pem
key: '/path/to/output/key.pem',
// Default: ./cert.pem
cert: '/path/to/output/cert.pem',
// Default: localhost
commonName: 'example.net',
// Default: [
// 'DNS:localhost',
// 'DNS:*.localhost',
// 'DNS:localhost.localdomain',
// 'IP:127.0.0.1',
// 'IP:0.0.0.0',
// 'IP:::1',
// 'IP:::'
// ]
subjectAltName: [
'DNS:example.net',
'DNS:www.example.net'
],
// Set to `false` to skip adding the certificate
// to the trusted certificate store.
// Default: true
entrust: false
})
The default options are exported for convenience.
const {
defaultKey,
defaultCert,
defaultCommonName,
defaultSubjectAltName
} = require('tls-keygen')
ephemeral(options)Convenience utility to generate a key & certificate for in-memory use only. Handy when writing tests that use TLS (e.g. HTTPS, HTTP/2).
Accepts the same options as keygen() (see above), except that the key and cert file paths are ignored.
Returns a promise that resolves to an object with fields key and cert that are two Buffers containing the raw key and certificate data.
const {ephemeral} = require('tls-keygen')
const {key, cert} = await ephemeral(options)
// key: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 50 ... >
// cert: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 ... >
Note: Firefox may require a restart to accept the certificate.
Usage with clients that do not support the native operating system certificate stores is the same as regular self-signed certificates.
rejectUnauthorized: false TLS option.--insecure option (alias: -k).key and cert options with tls.createServer, https.createServer, or http2.createSecureServerMade with ๐ by Sebastiaan Deckers in ๐ธ๐ฌ Singapore.
FAQs
Generate a self-signed TLS certificate and add it to the trusted certificate store.
We found that tls-keygen demonstrated a not healthy version release cadence and project activity because the last version was released a year ago.ย It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious PyPI checkers validate stolen emails against TikTok and Instagram APIs, enabling targeted account attacks and dark web credential sales.
Security News
The Node.js TSC opted not to endorse a feature bounty program, citing concerns about incentives, governance, and project neutrality.
Research
Security News
A look at the top trends in how threat actors are weaponizing open source packages to deliver malware and persist across the software supply chain.