Fix mkcert NET::ERR_CERT_AUTHORITY_INVALID
Fix NET::ERR_CERT_AUTHORITY_INVALID with mkcert on Mac by reinstalling the local CA, regenerating certificates and checking hostnames.
Locahl Team
Table of Contents
- How to fix NET::ERR_CERT_AUTHORITY_INVALID on Mac
- Why this error happens
- Step 1: reinstall the mkcert CA
- Step 2: regenerate the certificate
- Step 3: restart the browser
- Step 4: check server configuration
- Step 5: check hosts and DNS
- Verify certificate coverage
- Framework examples
- Vite
- Next.js
- Node HTTPS server
- Cleanup when everything is confused
- Prevention checklist
- Debug order
- Common fixes by symptom
- Error only in Firefox
- Error only on subdomains
- Error after copying certificates to another Mac
- Error after deleting the mkcert CA
- Conclusion
- Sources and further reading
Seeing NET::ERR_CERT_AUTHORITY_INVALID after setting up mkcert on Mac? The fastest fix is:
mkcert -install
mkcert -cert-file certs/local-cert.pem -key-file certs/local-key.pem localhost 127.0.0.1 ::1 myproject.test "*.myproject.test"
killall "Google Chrome"
open -a "Google Chrome"This reinstalls the local certificate authority, regenerates a certificate for the exact hostnames you use, and restarts Chrome so it reloads trust settings.
How to fix NET::ERR_CERT_AUTHORITY_INVALID on Mac
To fix NET::ERR_CERT_AUTHORITY_INVALID with mkcert on Mac, reinstall the local root CA with `mkcert -install`, regenerate the certificate for the exact hostname shown in the address bar (including any wildcard), then fully restart the browser so it reloads trust settings. Firefox may need the mkcert CA imported manually.
Why this error happens
mkcert works by creating a local certificate authority and installing it into your system trust store. Your browser then trusts certificates signed by that local CA.
NET::ERR_CERT_AUTHORITY_INVALID appears when one of these is true:
- The mkcert root CA is not installed.
- The browser has not reloaded trust settings.
- The certificate was generated for a different hostname.
- Firefox is using its own certificate store.
- You moved certificates between machines.
- You are using an old certificate after deleting the mkcert CA.
For a full setup walkthrough, read the mkcert SSL local guide for Mac.
Step 1: reinstall the mkcert CA
Run:
mkcert -installmacOS may ask for your administrator password. This step installs or repairs the local root CA in the Keychain.
Check where mkcert stores the CA:
mkcert -CAROOTYou should see files like rootCA.pem and rootCA-key.pem. Never commit or share the private key.
Step 2: regenerate the certificate
Generate a certificate for every hostname you will open in the browser:
mkdir -p certs
mkcert -cert-file certs/local-cert.pem -key-file certs/local-key.pem localhost 127.0.0.1 ::1 myproject.test "*.myproject.test"The hostname must match the browser address bar. A certificate for localhost does not cover myproject.test. A certificate for myproject.test does not cover api.myproject.test unless you include the wildcard.
Step 3: restart the browser
Chrome:
killall "Google Chrome"
open -a "Google Chrome"Safari usually follows the macOS Keychain, but a full restart can still help. Firefox may require manual CA import because it can use its own certificate store.
Step 4: check server configuration
Make sure your local server actually uses the regenerated files:
server: {
https: {
key: fs.readFileSync('certs/local-key.pem'),
cert: fs.readFileSync('certs/local-cert.pem')
}
}If your server still points to an older .pem file, the browser will keep showing the error.
Step 5: check hosts and DNS
If the browser opens the wrong host, verify the mapping:
dscacheutil -q host -a name myproject.test
ping myproject.test
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponderUse the Mac hosts file guide if the domain is not mapped correctly.
Verify certificate coverage
The most common mkcert mistake is generating a valid certificate for the wrong name.
Check the hostname in the browser address bar, then ensure it appears in the certificate Subject Alternative Name list.
Examples:
- Browser opens
https://localhost:3000: includelocalhost. - Browser opens
https://myproject.test: includemyproject.test. - Browser opens
https://api.myproject.test: includeapi.myproject.testor*.myproject.test. - Browser opens
https://127.0.0.1:3000: include127.0.0.1. - Browser opens
https://[::1]:3000: include::1.
Generate one practical dev certificate:
mkcert -cert-file certs/local-cert.pem -key-file certs/local-key.pem localhost 127.0.0.1 ::1 myproject.test "*.myproject.test"Framework examples
Vite
import { defineConfig } from 'vite';
import fs from 'fs';
export default defineConfig({
server: {
https: {
key: fs.readFileSync('certs/local-key.pem'),
cert: fs.readFileSync('certs/local-cert.pem')
}
}
});Next.js
next dev --experimental-https --experimental-https-key certs/local-key.pem --experimental-https-cert certs/local-cert.pemNode HTTPS server
https.createServer({
key: fs.readFileSync('certs/local-key.pem'),
cert: fs.readFileSync('certs/local-cert.pem')
}, app).listen(3000);Cleanup when everything is confused
If you generated several certificates and no longer know which one is served:
1. Stop the local server. 2. Delete old project cert files, not the mkcert root CA. 3. Run mkcert -install. 4. Generate fresh cert/key files into a clear certs/ folder. 5. Update the server config to point to those exact files. 6. Restart the browser. 7. Reload in a new tab.
Do not commit private keys. Add this to .gitignore:
certs/
*.pem
*.keyPrevention checklist
Use this checklist for every HTTPS local project:
- Generate certificates on each developer machine.
- Include every hostname and subdomain used in the browser.
- Keep cert files in one project folder.
- Add cert files to
.gitignore. - Document the mkcert command in the README.
- Restart browsers after installing the mkcert CA.
- Avoid copying root CA private keys between machines.
Debug order
When the browser still complains, debug in this order:
1. Does mkcert -install succeed? 2. Does the certificate cover the hostname? 3. Does the server use the new cert and key? 4. Did the browser restart after trust changed? 5. Does the hosts file point to the right server? 6. Is Chrome using stale DNS or sockets?
This order prevents a common trap: regenerating certificates repeatedly when the server is actually still serving the old files.
Common fixes by symptom
Error only in Firefox
Import rootCA.pem from the folder shown by mkcert -CAROOT into Firefox certificate authorities.
Error only on subdomains
Regenerate the certificate with a wildcard:
mkcert myproject.test "*.myproject.test"Error after copying certificates to another Mac
Do not copy mkcert certificates between machines. Install mkcert and generate certificates on each developer machine.
Error after deleting the mkcert CA
Run mkcert -install and regenerate certificates. Old certificates signed by the deleted CA will no longer be trusted.
Conclusion
For mkcert errors on Mac, fix trust first, then hostname coverage, then server configuration. In most cases, mkcert -install, a regenerated certificate and a browser restart solve NET::ERR_CERT_AUTHORITY_INVALID.
Sources and further reading
- mkcert: local trusted certificates (GitHub)
- Secure contexts (MDN Web Docs)
- Terminal User Guide (Apple Support)
Ready to simplify your workflow?
Stop wasting time with the terminal. Locahl lets you manage your hosts file in a few clicks, with automatic validation and no risk of errors.
- Intuitive visual interface
- Automatic DNS flush
- Multi-environment management
- Automatic backups
- JSON Import/Export
Reader Reviews
βRegenerating the cert for the exact hostname removed the NET::ERR_CERT_AUTHORITY_INVALID error.β
June 4, 2026
βThe Firefox CA note saved me, I imported it manually and it just worked.β
May 30, 2026
βSolid fix. A section on Vite HTTPS config would be a nice addition.β
May 27, 2026
Frequently Asked Questions
Why does mkcert show NET::ERR_CERT_AUTHORITY_INVALID?
Usually Chrome or macOS does not trust the mkcert root CA, or the certificate does not match the hostname.
What is the fastest fix?
Run mkcert -install, regenerate the certificate for the exact hostname, then restart the browser.
Related Articles
mkcert + Vite & Next.js Local HTTPS (2026)
Configure mkcert with Vite and Next.js for trusted local HTTPS. Full vite.config.js, next dev --experimental-https, .test domains + hosts file setup.
Locahl Team
Using Hosts Files for Docker Development on Mac
Configure hosts files for Docker, docker-compose and container networking. Map services to local domains and simplify Mac development.
Locahl Team
Hosts File Setup for Laravel and WordPress
Configure hosts files for Laravel Valet, Herd and WordPress local development with .test domains, multisite setups and best practices.
Locahl Team
Local Development Environment on Mac (2026)
Set up a perfect local dev environment on macOS. MAMP vs Laravel Valet vs Docker comparison, .test domains, local HTTPS with mkcert. Complete checklist.
Locahl Team
Edit the hosts file on Mac: Terminal vs GUI (2026)
How to edit /etc/hosts on macOS without errors? Terminal (sudo nano) vs GUI comparison. Fix permission denied and DNS cache issues in 2 minutes.
Locahl Team