按照github网站，参考readme

服务端

一般是服务器，即网页发布方

1. 先执行

mkcert -install

2. 再执行，如果有域名输入域名，没有则写自己ip即可

mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1

The certificate is at "./example.com+5.pem" and the key at "./example.com+5-key.pem" ✅

3. 得到的pem文件为证书，key为密钥
4. 如果是haproxy，则在 ssl crt 后边写入该 pem 文件绝对路径，重新发布网页即可

注意haproxy的pem格式，是有两段，一段为 CERTIFICATE，一段为RSA PRIVATE KEY

要将3中的pem文件后补全key的内容，并且key的段始段尾都需要增加 RSA三个字母保持一致。

注意下边这段话，意思是访问时要对mkcert的CA进行授信

Using certificates from real certificate authorities (CAs) for development can be dangerous or impossible (for hosts like example.test, localhost or 127.0.0.1), but self-signed certificates cause trust errors. Managing your own CA is the best solution, but usually involves arcane commands, specialized knowledge and manual steps.

mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. mkcert does not automatically configure servers to use the certificates, though, that’s up to you.

客户端

要安装 mkcert 颁发的根证书

仅试验了安装根证书，即生效。未试验安装上文中生成的证书。

通过命令

mkcert -CAROOT

获取到了根证书的路径，从服务器上下载此证书到客户端上，修改后缀为 .crt 双击安装即可，选择”受信任的根证书颁发机构“。

Installing in the trust store does not require the CA key, so you can export the CA certificate and use mkcert to install it in other machines.

• Look for the rootCA.pem file in mkcert -CAROOT
• copy it to a different machine
• set $CAROOT to its directory
• run mkcert -install

Remember that mkcert is meant for development purposes, not production, so it should not be used on end users’ machines, and that you should not export or share rootCA-key.pem.

在通过该客户端访问网页后，该网页将不会再显示”不安全“。