localca¶
A framework-free, mkcert-style local development CA for Go. Generate a
per-machine root, install it into the OS and browser trust stores, and mint
browser-trusted HTTPS certificates for localhost and LAN IPs — with zero manual
setup.
gitlab.com/phpboyscout/go/localca gives any Go tool trusted local HTTPS without the
"untrusted certificate" warning. On first run it mints a per-machine ECDSA root CA,
installs it into the system and NSS (Firefox/Chromium) trust stores, and issues
short-lived leaf certificates — surfaced as a
go/tls.Pair so any transport serves the
trusted cert unchanged.
It is Layer 1 of a two-layer TLS strategy for the phpboyscout tool family: a local CA that works offline forever, and the permanent CI / air-gapped fallback even once a public-ACME path exists.
Why¶
- One-liner first run.
EnsureServedensures the root exists and is trusted, then hands back a servablego/tls.Pair. Idempotent — an already-trusted root re-prompts nothing; a still-valid leaf is reused. - Never a shared key. Every install mints its own per-machine root, stored
0600. A bundled shared CA key would be a universal MITM key against every user, so one is never generated or shipped. See the trust model. - Framework-free. Typed
Config, an injectedafero.Fs, and an optional*slog.Logger— no config framework, no TUI, no OpenTelemetry. Adepfootprint_test.goguard keeps the dependency graph minimal.
Where next¶
- Getting started — serve trusted HTTPS from your tool in a dozen lines.
- Serve your tool over HTTPS locally — scopes, LAN binds, uninstall, and the certutil note.
- Trust & security model — the per-machine-root trade-off, consent, and why NSS is best-effort.
- API reference — full godoc on pkg.go.dev.
Part of the phpboyscout Go toolkit — small, framework-free Go modules for the phpboyscout tool family.