Automic Vault

brew package intelligence

mkcert

Automic Vault tracks mkcert because plain text root ca private key matters when AI agents run command-line tools on macOS.

Read docs Run scanner

overview

What Automic Vault knows about mkcert

Simple tool to make locally trusted development certificates

Homepage

Not present in the local metadata.

Commands and aliases

No executable aliases were found in the local package database.

radioisotope

Plain Text Root CA Private Key

`mkcert` stores its local root CA private key as rootCA-key.pem in the user CAROOT directory. Our isotope stores that private key in the macOS keychain and exposes it through a temporary CAROOT only while `mkcert` runs.

Local README excerpt

mkcert Radioisotope

mkcert creates a local certificate authority and stores its private key as rootCA-key.pem in the user CAROOT directory.

This radioisotope migrates rootCA-key.pem into the Automic Vault keychain and wraps mkcert so the key is materialized in a temporary CAROOT only while mkcert is running.

Caveats

  • We currently migrate the default CAROOT, or the CAROOT set during migration.
  • The public rootCA.pem file remains on disk.
  • Existing shells that execute the original binary directly will not receive

the root CA key.

Source: data/radioisotopes/mkcert/README.md

Caveats

  • We currently migrate the default CAROOT, or CAROOT set during migration.
  • The public rootCA.pem file remains on disk.
  • Direct execution of the original binary will not receive the root CA key.

approval gates

Human review metadata for risky commands

The local approval-gate seed includes 5 rules for mkcert. Covered entrypoints: mkcert. Severity labels: critical, high.

Example gated actions

  • Simple tool to make locally trusted development certificates
  • Install the local CA into system or browser trust stores.
  • Remove the local CA from trust stores.
  • Generate local certificates and private keys.
  • Write certificate or key files to caller-specified paths.

install metadata

Resolver facts

Package keybrew:mkcert
Last updated2026-02-14T17:02:11+01:00
Pulseupdated

source trail

Generated from repository data

This page is regenerated by scripts/generate-pkg-pages.py. Deployments refuse to publish if www/pkg/ is stale relative to local package data.

Used sources

  • Nucleus package database
  • approval-gate seed metadata
  • local isotope README
  • radioisotope security manifest