mkcert CA Key Security Policy

Beginner

Enforce security policies for mkcert CA keys — never commit, never share, never mount in containers, and proper file permissions for the root CA private key.

File Patterns

**/.gitignore**/docker-compose*.yml**/certs/**

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# mkcert CA Key Security Policy

## Rule
The mkcert root CA private key (rootCA-key.pem) MUST never be shared, committed to Git, or mounted into containers. Only the CA certificate (rootCA.pem) may be distributed.

## Format
```bash
# Safe: share the CA certificate for trust
cp "$(mkcert -CAROOT)/rootCA.pem" ./certs/ca.pem

# NEVER: share or expose the CA key
# cp "$(mkcert -CAROOT)/rootCA-key.pem" anywhere  # FORBIDDEN
```

## Requirements
1. **Never commit** — rootCA-key.pem must never appear in any Git repository
2. **Never share** — each developer generates their own CA with `mkcert -install`
3. **Never mount in containers** — only mount rootCA.pem (certificate), not the key
4. **File permissions** — CA key should be readable only by the owner (600)
5. **gitignore** — add patterns for CA files and generated certificates
6. **Awareness** — team must understand that the CA key can sign ANY certificate

## Examples

### Good — .gitignore
```gitignore
# mkcert certificates
certs/
*.pem
*.key
*.cert
# Never commit CA files
rootCA*.pem
```

### Good — Docker volume mount
```yaml
# Only mount the CA certificate, never the key
volumes:
  - "$(mkcert -CAROOT)/rootCA.pem:/usr/local/share/ca-certificates/rootCA.pem:ro"
```

### Bad
```yaml
# NEVER mount the entire CAROOT directory (includes the private key)
volumes:
  - "$(mkcert -CAROOT):/certs:ro"  # DANGEROUS: exposes rootCA-key.pem

# NEVER commit certificates
git add certs/local-cert.pem  # Should be gitignored
```

## Enforcement
Add rootCA-key.pem patterns to .gitignore and global gitignore. Use git-secrets or gitleaks to detect accidental CA key commits.

FAQ

Discussion

Loading comments...

# mkcert CA Key Security Policy ## Rule The mkcert root CA private key (rootCA-key.pem) MUST never be shared, committed to Git, or mounted into containers. Only the CA certificate (rootCA.pem) may be distributed. ## Format ```bash # Safe: share the CA certificate for trust cp "$(mkcert -CAROOT)/rootCA.pem" ./certs/ca.pem # NEVER: share or expose the CA key # cp "$(mkcert -CAROOT)/rootCA-key.pem" anywhere # FORBIDDEN ``` ## Requirements 1. **Never commit** — rootCA-key.pem must never appear in any Git repository 2. **Never share** — each developer generates their own CA with `mkcert -install` 3. **Never mount in containers** — only mount rootCA.pem (certificate), not the key 4. **File permissions** — CA key should be readable only by the owner (600) 5. **gitignore** — add patterns for CA files and generated certificates 6. **Awareness** — team must understand that the CA key can sign ANY certificate ## Examples ### Good — .gitignore ```gitignore # mkcert certificates certs/ *.pem *.key *.cert # Never commit CA files rootCA*.pem ``` ### Good — Docker volume mount ```yaml # Only mount the CA certificate, never the key volumes: - "$(mkcert -CAROOT)/rootCA.pem:/usr/local/share/ca-certificates/rootCA.pem:ro" ``` ### Bad ```yaml # NEVER mount the entire CAROOT directory (includes the private key) volumes: - "$(mkcert -CAROOT):/certs:ro" # DANGEROUS: exposes rootCA-key.pem # NEVER commit certificates git add certs/local-cert.pem # Should be gitignored ``` ## Enforcement Add rootCA-key.pem patterns to .gitignore and global gitignore. Use git-secrets or gitleaks to detect accidental CA key commits.