Root certificate no longer applicable for leaf certificates in MacOS 26.1

[chrisnoden]

Environment

• MacOS 26.1
• mkcert version (from mkcert -version): 1.4.4
• Server (where the certificate is loaded): Nitro 2.12.9, Vite 7.1.12
• Client (e.g. browser, CLI tool, or script): All MacOS browsers

What you did

Updated to MacOS 26.1
None of my local dev certificates work. They all worked before the update.

mkcert -uninstall
mkcert -install

Open keychain access and ensure mkcert root is Always Trusted

mkcert testsite.wip
yarn dev -o

This opens browser and normally would take me to https://testsite.wip (or whatever hostname I've set) without any SSL error.

What went wrong

Since updating to MacOS 26.1 all my browsers report a certificate error - net::ERR_CERT_AUTHORITY_INVALID

"This server could not prove that it is testsite.wip; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection."

openssl s_client -connect testsite.wip:3000 -servername testsite.wip -showcerts </dev/null | openssl x509 -noout -text | sed -n '1,120p'

this reports:

X509v3 Subject Alternative Name:
   DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1

[uselpa]

Same problem on one Mac, not on the other.

[chrisnoden]

The issue for me ends up being with the Nuxt server (vite/nitro). It no longer respects passing the certs through the command line - instead I need to set a nuxt.config.ts configuration:

devServer: {
    https: {
        key: './test.local-key.pem',
        cert: './test.local.pem',
    },
},

Then my package.json has the "dev" script as:
"dev": "NODE_TLS_REJECT_UNAUTHORIZED=0 nuxt dev --host test.local --https"

This seems to be working and is, so far, the only solution I have found.