Set up a local security certificate

If you’re using a Development URL to develop an extension, the URL needs to use HTTPS. But if you just enable HTTPS in webpack-dev-server, you need to bypass a security warning every time you start the local server, since you don’t actually have a local security certificate.
Bypassing the warning is simple enough, but it can be confusing when you forget to bypass the warning and then can’t figure out why your extension isn’t working.
You can avoid this problem altogether by setting up a local, self-signed security certificate.


Step 1: Install mkcert

mkcert is “a simple tool for making locally trusted development certificates.”
To install mkcert, run the following command:
# macOS
brew install mkcert
# Windows
choco install mkcert
To learn more about mkcert, see

(Optional) Step 2: Install nss

If you’re using Firefox as your web browser, you also need to install nss:
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications.
To install nss, run the following command:
brew install nss
To learn more about nss, see

Step 3: Generate the certificate

To generate the certificate, run the following command in the extension’s directory:
mkcert localhost
This command generates the following files:
  • localhost-key.pem
  • localhost.pem
  • rootCA-key.pem
  • rootCA.pem
You should see the following output in the terminal:
Created a new local CA
Note: the local CA is not installed in the system trust store.
Run "mkcert -install" for certificates to be trusted automatically
Created a new certificate valid for the following names
- "localhost"
The certificate is at "./localhost.pem" and the key at "./localhost-key.pem"
It will expire on 28 September 2023
Then, to trust the certificate, run the following command:
mkcert -install
You should see the following output in the terminal:
The local CA is now installed in the system trust store!

Step 4: Configure webpack-dev-server

Once the certificate exists, webpack-dev-server needs to know where it lives. You can do this in the webpack.config.js file or via the command line.


Add the following https property to the devServer object in the webpack configuration:
https: {
key: "localhost-key.pem",
cert: "localhost.pem"

Command line

Add the following flags to the webpack serve command:
  • --https
  • --key
  • —-cert
This is an example of a complete command:
webpack serve --config ./webpack.config.js --mode development --https --key localhost-key.pem --cert localhost.pem

Step 5: Start the server

To confirm that the security certificate is set up correctly, start the local server:
yarn start
Then navigate to https://localhost:8000.
If the page loads without a security warning, the certificate is set up correctly. You can also confirm that it’s working by clicking the lock icon in the address bar.
Based on these changes, you can use https://localhost:8000 for an extension’s Development URL without having to bypass the security warning.