Sets up a locally-trusted TLS certificate so a dev endpoint can serve
https://localhost with no tunnel and no downgrade.
attesto requires an https issuer (RFC 8414 §2), so a plain http://localhost
dev server cannot drive the OAuth / MCP flow. This task generates a certificate
from a local certificate authority — mkcert —
that your machine already trusts, so https://localhost works everywhere with
no -k and no self-signed warnings.
The task:
- checks
mkcertis on yourPATH(printing install guidance if not), - creates the cert directory (default
priv/cert), - runs
mkcert -install(idempotent — trusts the local CA on this machine), - writes
localhost.pem+localhost-key.pemfor the requested hosts, - ensures the cert directory is git-ignored, and
- prints the exact
config/dev.exsone-liner to wire it up.
Re-running regenerates cleanly.
Example
mix attesto_phoenix.gen.dev_https
Then wire it into config/dev.exs (the task prints this):
config :my_app, MyAppWeb.Endpoint, https: AttestoPhoenix.DevTLS.https_opts(port: 4443)and make sure your MCP / OAuth issuer is https://localhost:4443.
Options
--host- the space-separated host list the certificate is valid for. Defaults tolocalhost 127.0.0.1 ::1.--dir- the directory the cert/key are written to. Defaults topriv/cert.
Production
mkcert is a local dev CA. Never run mkcert -install or use these
certificates on a server or in CI — production terminates TLS at the load
balancer / ingress with a real CA certificate.