Security Notes - mkcert and HTTPS in CookieJar Lab
Home Lab Docs Lab Guide
What mkcert Does
mkcert creates a local Certificate Authority (CA) and installs it into your operating system and browser trust stores. This lets it generate TLS certificates that your browser trusts without warnings - just like a real CA, but only on your machine.
Why This Matters
The CA private key lives on your disk. If an attacker gains access to it, they could:
- Generate trusted certificates for any domain (e.g.,
google.com,yourbank.com) - Perform man-in-the-middle (MITM) attacks on HTTPS connections from your machine
- Intercept sensitive data without triggering browser warnings
This is the same risk as any local root CA - corporate proxy CAs work the same way.
Where the CA Key Lives
| Platform | Path |
|---|---|
| macOS | ~/Library/Application Support/mkcert/ |
| Linux | ~/.local/share/mkcert/ |
| Windows | %LOCALAPPDATA%\mkcert\ |
The directory contains rootCA.pem (public cert) and rootCA-key.pem (private key). The private key is what must be protected.
Safe Practices
-
Always clean up when done. Run
./cleanup.shormkcert -uninstallto remove the CA from your trust store. -
Never use mkcert on shared or public machines without cleaning up afterward. Other users on the machine could exploit the CA.
-
Never commit
certs/or the CA key to git. The.gitignorealready excludescerts/. Double-check before pushing. -
The CA is local-only. It does not affect other machines on your network. Certificates generated by your mkcert CA will not be trusted by anyone else’s browser.
-
Don’t leave the CA installed long-term. Install it when you need the lab, remove it when you’re done.
HTTP Alternative
The lab works fully over plain HTTP without mkcert. HTTPS is optional - it’s recommended for a more realistic demo, but every feature works in HTTP mode too.
To run in HTTP mode, skip ./setup.sh and just run:
docker compose up --build
Why We Use .test
The cookiejar.test domain uses the .test top-level domain, which is reserved by IETF (RFC 6761) for testing purposes. It:
- Cannot be registered as a real domain
- Will never resolve on the public internet
- Cannot be used for phishing or impersonation
- Only works because we add it to
/etc/hostslocally
Cleanup Checklist
When you’re done with the lab:
- Run
./cleanup.sh(removes CA + certs) - Remove
/etc/hostsentry if added (cleanup.sh will remind you) - Optionally:
docker compose down -vto remove Docker volumes
A CyberDesserts project - Learn Cybersecurity By Doing