Secure transfers with mkcert

Published on October 14th, 2020, by Claudio d’Angelis.

In this tutorial you will learn how to securely transfer files with qrcp by creating a local Certificate Authority using mkcert and generating a certificate for qrcp. From its README, mkcert is a simple tool for making locally-trusted development certificates. It requires no configuration.

The following values will be used for this tutorial, they refer to a typical Linux system and may differ for you according to your operating system:

Name Value
IP of the computer/laptop 192.168.1.107
Root certificate path ~/.local/share/mkcert/rootCA.pem
Certificate path ~/certs/192.168.1.107.pem
Certificate key ~/certs/192.168.1.107-key.pem
Transferred file MyDocument.pdf

Note: secure transfers are only supported by qrcp version 0.7.0 and above.

Generate certificates

Open your terminal, create a directory called certs and change to it Install mkcert (refer to the README).

Generate the Certificate Authority:

mkcert --install

If everything worked correctly, you should see the similar output:

Created a new local CA at "/home/me/.local/share/mkcert"
Sudo password:
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)!

Generate a certificate for the IP of your computer/laptop:

mkcert 192.168.1.107

You should see a similar output:

Using the local CA at "/home/me/.local/share/mkcert"

Created a new certificate valid for the following names 
 - "192.168.1.107"

The certificate is at "./192.168.1.107.pem" and the key at "./192.168.1.107-key.pem" 

At this point you should securely upload the root certificate generated by mkcert to your mobile phone. You have a few options for this, the simplest is just sending it by email. You can check the location of the root certificate’s parent directory by running:

mkcert --CAROOT

If you are using iOS, you should trust the certificate authority, you can find more information here: Trust manually installed certificate profiles in iOS and iPadOS.

If you are using Android, you must convert the root certificate from PEM format to DER format. Note that you may need to install the openssl tool.

openssl x509 -inform PEM -outform DER -in $(mkcert --CAROOT)/rootCA.pem -out $(mkcert --CAROOT)/rootCA.der.crt

Upload the converted certificate to your Android device, and install it by simply opening the file. When asked to enter the certificate name, you can enter a friendly name, for example “mkcert”.

Transfer something!

You are now ready to securely transfer a file using the certificates generated by mkcert:

qrcp --tls-cert ~/certs/192.168.1.107.pem --tls-key ~/certs/192.168.1.107-key.pem screenshot.png

The output will be something like this (note that the printed URL starts with “https”):

Scan the following URL with a QR reader to start the file transfer:
https://192.168.1.107:40221/send/ljd7
█████████████████████████████████████
█████████████████████████████████████
████ ▄▄▄▄▄ █ █▀▀ █▀ ▄█▄▀▀█ ▄▄▄▄▄ ████
████ █   █ █▀█▄▄▄▄▄▄█▄█▄██ █   █ ████
████ █▄▄▄█ ██▀▄▄▀▄▀█▀█ ▀▄█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ ▀▄█ ▀ ▀ ▀ █ █▄▄▄▄▄▄▄████
████ ▀▄ ▀▄▄ ▀██▀▄▄▄▄   ▄█▀▄██▄█▄ ████
████▀▀   █▄▀▀ ▄▄█▀ █▀▄█▄▀ ▄▄██▄▄▀████
████▀█ ▀█▄▄█ ▄██ ▀██▀▀  ▄█▀▀█▄ ▀▀████
████  █▀█▀▄ █  ▄ ▀▄   ▀▄██ █▀█▄ ▄████
█████ ▀ ▀▀▄  ▄▀█ ▀██▄█▄▀▄██ ▀ ▀ █████
████▄████▄▄  ▀█ ▀████▄█▄ ▄▀█ █ ██████
█████▄█▄▄▄▄█▀ ▀█  ▀ ▀▀   ▄▄▄   ▀▀████
████ ▄▄▄▄▄ █  █▄▄▄█ █▀█  █▄█  █▄▀████
████ █   █ █▀ ▀ ▄▀ █ █▀ ▄   ▄▀▄▄▄████
████ █▄▄▄█ █▄█▄█ ▀▀▀▄▀ █▄▄ █▀█▄▀▄████
████▄▄▄▄▄▄▄█▄▄▄██▄▄▄█▄▄██▄█▄█▄▄▄█████
█████████████████████████████████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Scan the QR and the file will be securely transferred to your mobile. Congratulations!

Configure qrcp to default to those value

If you want to make this setup persistent so that all transfers will be secured by default, run the wizard with qrcp config and make sure the choose the right values to the following questions:

(Note: you must enter the absolute path of the certificates)

After configuring qrcp, all transfers will be always secured. If you’ll want to temporarily disable security, just add the --secure=false flag.

Secure transfer:

qrcp MyDocument.pdf

Unsecure transfer:

qrcp --secure=false MyDocument.pdf

Conclusion

In this tutorial we have seen how to:

If you want to learn more about HTTPS and secure connections, have a look at the How HTTPS works …in a comic! website.