Background
I'm developing a web app. Persuading browsers to treat the test site like a live site so that testing can actually be done, seems to be the hard part.
My (lack of) Understanding
As I understand it, persuading browsers to trust a web app and allow things like access to the file system, location information, notifications (and other system-level stuff) requires an https connection and a TLS certificate that the browser trusts.
The browser will trust a certificate iff the Certificate Authority (CA) is in it's local list of CAs.
Chrome/Chromium (and most other browsers) uses the local system list of CAs, Firefox has it's own list.
What I've done / found
Various articles describe the problem and advocate mkcert:-
General articles:
Specifically for Linux and very comprehensive:
mkcert -install
The above command generates a new local CA and stores it in your home directory at ~/.local/share/mkcert and then, it adds this CA to your Linux system’s trust store so that the operating system recognizes any certificates signed by it as valid.
mkcert myapp.local
Once executed, mkcert will generate two files in your current directory: myapp.local.pem, which is the certificate, and myapp.local-key.pem, which is the private key.These files can be used directly with local web servers such as Nginx...
I have also found, localias:
Localias is a tool for developers to securely manage local aliases for development servers. Use Localias to redirect https://server.test→ http://localhost:3000 in your browser and on your command line.
Localias's proxy server, Caddy, automatically generates certificates for any secure aliases you'd like to make...If your browser reads from the system store to determine which certificate authorities to trust...
Suggesting Caddy can't 'handle' Firefox...?
And I stumbled upon, Auto Encrypt Localhost:
Auto Encrypt Localhost is similar to the Go utility mkcert but with the following important differences...
written in pure JavaScript for Node.js ... It uses enterprise policies on all platforms to get Firefox to include its certificate authority from the system trust store.
Questions
Some articles refer to "certificates" and some to "root certificates".
Are these terms interchangeable in this situation?Several articles refer to "adding a Certificate Authority to the system's trust store", but then go on to talk about installing certificates.
So is adding a Certificate Authority Root Certificate the way that we add a trusted Certificate Authority? Is that what adding a trusted CA means: adding a root certificate (to the certificate store) that is signed by that source?If so... Does this mean that we can add a trusted CA to Android devices by adding an
mkcertcertificate to the relevant trust stores?How to add a certificate to Android?
This article, Install root certificates on Android, says it can't be done without 'rooting' the Android device, or installing their special version of Android.
This article, System CA on Android: How to Install & Work Around Modern Restrictions, says that even if you manage to install a certificate, "the CA certificate landed as a user certificate (not trusted by the app) instead of a system certificate", and advocates using an app called 'Magisk'.
An answer to the very old StackOverflow question How to install trusted CA certificate on Android device?, recommends installing and using the native app Dory.
- Is there no way that browsers could make this issue less painful?