Skip to content

localca

A framework-free, mkcert-style local development CA for Go. Generate a per-machine root, install it into the OS and browser trust stores, and mint browser-trusted HTTPS certificates for localhost and LAN IPs — with zero manual setup.

go get gitlab.com/phpboyscout/go/localca

gitlab.com/phpboyscout/go/localca gives any Go tool trusted local HTTPS without the "untrusted certificate" warning. On first run it mints a per-machine ECDSA root CA, installs it into the system and NSS (Firefox/Chromium) trust stores, and issues short-lived leaf certificates — surfaced as a go/tls.Pair so any transport serves the trusted cert unchanged.

It is Layer 1 of a two-layer TLS strategy for the phpboyscout tool family: a local CA that works offline forever, and the permanent CI / air-gapped fallback even once a public-ACME path exists.

Why

  • One-liner first run. EnsureServed ensures the root exists and is trusted, then hands back a servable go/tls.Pair. Idempotent — an already-trusted root re-prompts nothing; a still-valid leaf is reused.
  • Never a shared key. Every install mints its own per-machine root, stored 0600. A bundled shared CA key would be a universal MITM key against every user, so one is never generated or shipped. See the trust model.
  • Framework-free. Typed Config, an injected afero.Fs, and an optional *slog.Logger — no config framework, no TUI, no OpenTelemetry. A depfootprint_test.go guard keeps the dependency graph minimal.

Where next


Part of the phpboyscout Go toolkit — small, framework-free Go modules for the phpboyscout tool family.