A Mac localhost HTTPS app raises install-time certificate questions
A notarized Java desktop app runs an HTTPS service on the Mac’s local address. Today, the app creates certificates with mkcert and adds trust in Keychain during the first launch.
This works on many Macs, but some people hit install or startup failures. There is not enough telemetry to clearly see what is failing.
The main choice is whether certificate creation and trust should stay inside the app, move partly into a PKG installer, or use a different setup. The risky areas to check are Keychain permissions, Apple Silicon Macs, and devices managed by an organization.
Key points
- The Java app serves HTTPS on the Mac’s local address.
- It currently uses mkcert and Keychain during first startup.
- Some Macs see install or startup problems.
- A PKG installer could handle part of the certificate setup instead.
- Keychain permissions, Apple Silicon, and managed devices are likely failure points.
Quick term guide
- desktop app
- A program you install and run on your computer instead of using only in a browser.
- telemetry
- Diagnostic data (performance stats, errors, usage info) that devices automatically collect and send for analysis.
- PKG installer
- A Mac installation package that can install files and apply setup steps.
- installer
- An installer is the file used to put an app onto a computer.
- permissions
- Settings that define what files or actions a system or user is allowed to access.
- permission
- The allowed range of actions a person or system can take.
- Apple Silicon
- Apple's own line of chips (M1, M2, M3, M4, M5) used in Macs, known for performance and efficiency.
- security
- How well a site is protected from attacks or unsafe access.