Cannot find duplicate root CA for development Safari claims to have

I use three Macs for development of a web application. On each of the Macs (macOS 14.4) I used mkcert to install a local CA and to issue developer certificates (all separately). Accessing the web app with https://localhost:8080 works fine on two Macs with all browsers, but on one Mac Safari claims to have another root CA for localhost which it does not trust. And I cannot override the trust settings.

Using Keychain Access I do not find this certificate. Safari shows it like this:

Scrolling down I can see DNS Names localhost, localhost.localdomain and lvl.me, so I suspect it is a leftover from trying to install a root CA before using mkcert.

The mkcert certificate looks like this and I can see it in the System keychain:

So Safari complains and I cannot tell it to trust the server certificate as the CA does not fit (I think). Firefox and Chrome open the website just fine after warning me and me telling them to do so.

I tried to find the wrong CA using Keychain Access and Terminal (security find-certificate -a -c localhost, security find-certificate -a -c lvh...) but in vain.

Where can I find this certificate and how can I delete it?

Up vote post of Lumpy Gravy Down vote post of Lumpy Gravy
323 views
Posted by
Lumpy Gravy
Reply
Add a Comment

Replies

The strange certificate came from a settings error I made in the configuration file of the framework I use (Quasar). I got the https configuration for the development server wrong and Quasar issued an ad-hoc certificate instead of using the certificate I provided.

So my question boils down to why Safari won't let me accept the certificate on one of the Macs.

But maybe an even better solution for that last problem: I added the mkcert root CA and the certificate I signed with this CA to my keychain, now Safari accepts https connections to localhost.

Posted by
Lumpy Gravy
Up vote reply of Lumpy Gravy Down vote reply of Lumpy Gravy
Add a Comment

I don’t have any answers to your direct question, but I have some recommendations for how to avoid problems like this:

  • Rather than working directly with a self-signed certificate, instead create a CA and have it issue certificates. You can then install the CA’s root certificate, and trust evaluation follows a well-trodden path.

  • Rather than issuing certificates for localhost, issue them for your Mac’s local DNS name. For example, if your Mac is called Guy Smiley it’s local DNS name will be guy-smiley.local. Again, that keeps you on a well-trodden path.

I discuss the specific steps involved in:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment