How to add certificates to keychain

1. Output of caddy version:

Don’t know, can’t connect to the caddy image, using Docker:

image: caddy:latest

2. How I run Caddy:

image: caddy:latest

a. System environment:

Docker… um… does docker even have a version?
I’m running docker on Mac silicon MacOS Ventura

b. Command:

    image: caddy:latest

c. Service/unit/compose file:

I don't know what this is.

d. My complete Caddy config:

fe.mnr.localhost {
    reverse_proxy host.docker.internal:8080
be.mnr.localhost {
    root * /var/www/html/mnr-be/webroot
    encode gzip
    php_fastcgi php:9000 

3. The problem I’m having:

When I try to browse to the localhost domains I get warnings about site being unsafe etc. I need to somehow add the certificates to be trusted by all my browsers. I managed to do this before but I can’t recall how and also can’t find any reference to it anywhere.

4. Error messages and/or full log output:

% curl --verbose https://be.mnr.localhost
*   Trying
* Connected to be.mnr.localhost ( port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

5. What I already tried:

I tried opening the KeyChain access app on my Mac but didn’t know what to do in there.
The docs say “drag the certs into KeyChain access app” (see link below).
But I don’t know where the certs are in order to drag them in.
I tried the .crt file shown in the attached image:

But KeyChain complained that it does not recognise the certificate.

It might be a good idea for this process to be in your documentation.

6. Links to relevant resources:

Managed to get it working. The trick is to use the root.crt file:

Drag that into KeyChain Access app on the Certificates tab.

Once you’ve done so, the certificate will be registered but untrusted. To mark it trusted, right-click on the certificate (in KeyChain Access app) and select Get Info and open the Trust expander:

Select Always Trust option.

Then the cert will be marked with the blue plus icon, to indicate as trusted:

1 Like

Thanks for the answer!

We don’t really document other software in our documentation, but this would make a great wiki article if you’d like to contribute a guide!

This topic was automatically closed after 30 days. New replies are no longer allowed.