Fix mkcert NET::ERR_CERT_AUTHORITY_INVALID

Seeing NET::ERR_CERT_AUTHORITY_INVALID after setting up mkcert on Mac? The fastest fix is:

mkcert -install
mkcert -cert-file certs/local-cert.pem -key-file certs/local-key.pem localhost 127.0.0.1 ::1 myproject.test "*.myproject.test"
killall "Google Chrome"
open -a "Google Chrome"

This reinstalls the local certificate authority, regenerates a certificate for the exact hostnames you use, and restarts Chrome so it reloads trust settings.

Why this error happens

mkcert works by creating a local certificate authority and installing it into your system trust store. Your browser then trusts certificates signed by that local CA.

NET::ERR_CERT_AUTHORITY_INVALID appears when one of these is true:

• The mkcert root CA is not installed.
• The browser has not reloaded trust settings.
• The certificate was generated for a different hostname.
• Firefox is using its own certificate store.
• You moved certificates between machines.
• You are using an old certificate after deleting the mkcert CA.

For a full setup walkthrough, read the mkcert SSL local guide for Mac.

Step 1: reinstall the mkcert CA

Run:

mkcert -install

macOS may ask for your administrator password. This step installs or repairs the local root CA in the Keychain.

Check where mkcert stores the CA:

mkcert -CAROOT

You should see files like rootCA.pem and rootCA-key.pem. Never commit or share the private key.

Step 2: regenerate the certificate

Generate a certificate for every hostname you will open in the browser:

mkdir -p certs
mkcert -cert-file certs/local-cert.pem -key-file certs/local-key.pem localhost 127.0.0.1 ::1 myproject.test "*.myproject.test"

The hostname must match the browser address bar. A certificate for localhost does not cover myproject.test. A certificate for myproject.test does not cover api.myproject.test unless you include the wildcard.

Step 3: restart the browser

Chrome:

killall "Google Chrome"
open -a "Google Chrome"

Safari usually follows the macOS Keychain, but a full restart can still help. Firefox may require manual CA import because it can use its own certificate store.

Step 4: check server configuration

Make sure your local server actually uses the regenerated files:

server: {
  https: {
    key: fs.readFileSync('certs/local-key.pem'),
    cert: fs.readFileSync('certs/local-cert.pem')
  }
}

If your server still points to an older .pem file, the browser will keep showing the error.

Step 5: check hosts and DNS

If the browser opens the wrong host, verify the mapping:

dscacheutil -q host -a name myproject.test
ping myproject.test
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder

Use the Mac hosts file guide if the domain is not mapped correctly.

Verify certificate coverage

The most common mkcert mistake is generating a valid certificate for the wrong name.

Check the hostname in the browser address bar, then ensure it appears in the certificate Subject Alternative Name list.

Examples:

• Browser opens https://localhost:3000: include localhost.
• Browser opens https://myproject.test: include myproject.test.
• Browser opens https://api.myproject.test: include api.myproject.test or *.myproject.test.
• Browser opens https://127.0.0.1:3000: include 127.0.0.1.
• Browser opens https://[::1]:3000: include ::1.

Generate one practical dev certificate:

mkcert -cert-file certs/local-cert.pem -key-file certs/local-key.pem localhost 127.0.0.1 ::1 myproject.test "*.myproject.test"

Framework examples

Vite

import { defineConfig } from 'vite';
import fs from 'fs';

export default defineConfig({
  server: {
    https: {
      key: fs.readFileSync('certs/local-key.pem'),
      cert: fs.readFileSync('certs/local-cert.pem')
    }
  }
});

Next.js

next dev --experimental-https --experimental-https-key certs/local-key.pem --experimental-https-cert certs/local-cert.pem

Node HTTPS server

https.createServer({
  key: fs.readFileSync('certs/local-key.pem'),
  cert: fs.readFileSync('certs/local-cert.pem')
}, app).listen(3000);

Cleanup when everything is confused

If you generated several certificates and no longer know which one is served:

1. Stop the local server. 2. Delete old project cert files, not the mkcert root CA. 3. Run mkcert -install. 4. Generate fresh cert/key files into a clear certs/ folder. 5. Update the server config to point to those exact files. 6. Restart the browser. 7. Reload in a new tab.

Do not commit private keys. Add this to .gitignore:

certs/
*.pem
*.key

Prevention checklist

Use this checklist for every HTTPS local project:

• Generate certificates on each developer machine.
• Include every hostname and subdomain used in the browser.
• Keep cert files in one project folder.
• Add cert files to .gitignore.
• Document the mkcert command in the README.
• Restart browsers after installing the mkcert CA.
• Avoid copying root CA private keys between machines.

Debug order

When the browser still complains, debug in this order:

1. Does mkcert -install succeed? 2. Does the certificate cover the hostname? 3. Does the server use the new cert and key? 4. Did the browser restart after trust changed? 5. Does the hosts file point to the right server? 6. Is Chrome using stale DNS or sockets?

This order prevents a common trap: regenerating certificates repeatedly when the server is actually still serving the old files.

Common fixes by symptom

Error only in Firefox

Import rootCA.pem from the folder shown by mkcert -CAROOT into Firefox certificate authorities.

Error only on subdomains

Regenerate the certificate with a wildcard:

mkcert myproject.test "*.myproject.test"

Error after copying certificates to another Mac

Do not copy mkcert certificates between machines. Install mkcert and generate certificates on each developer machine.

Error after deleting the mkcert CA

Run mkcert -install and regenerate certificates. Old certificates signed by the deleted CA will no longer be trusted.

Conclusion

For mkcert errors on Mac, fix trust first, then hostname coverage, then server configuration. In most cases, mkcert -install, a regenerated certificate and a browser restart solve NET::ERR_CERT_AUTHORITY_INVALID.