This page explains how to set up a local development server on a Mac (with Apache installed) to use HTTPS to more closely mimic the environment on a production website. This involves installing a self-signed SSL certificate and ensuring Apache is configured accordingly. These instructions assume that openssl has been installed. Most of this was obtained from this guide.
- Configure SSL settings
Open the SSL configuration file using in Terminal (using the nano editor in these instructions)Copy to clipboardsudo nano /private/etc/apache2/extra/httpd-ssl.conf- In the
<VirtualHost>
section, make sure the settings are as follows;- Change
<VirtualHost _default_:443>
to<VirtualHost *:443>
- Make sure the
DocumentRoot
is correct for your local server - Change the
ServerName
tolocalhost:443
- Make sure
SSLEngine
is set toon
- Change
- Note the certificate file paths
- Find the
SSLCertificateFile
andSSLCertificateKeyFile
directives - These lines should be uncommented (i.e., no # at the beginning of the line)
- Note the path and files names - these will be used later. You can change the location and file name, just make sure that the paths and names here match the actual files you create later. For these instructions we will use the following:
SSLCertificateFile "/private/etc/ssl/server.crt"
SSLCertificateKeyFile "/private/etc/ssl/server.key"
- Find the
- In the
- Create configuration files
- Create a file named
server.csr.cnf
Copy to clipboardsudo nano /private/etc/ssl/server.csr.cnf - Paste the following into
server.csr.cnf
, changing location and email values as needed, and then save the file
Copy to clipboard[req] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn [dn] C=US ST=New York L=Rochester O=End Point OU=Testing Domain emailAddress=your-administrative-address@your-awesome-existing-domain.com CN = localhost - Create a file named
v3.ext
Copy to clipboardsudo nano /private/etc/ssl/v3.ext - Paste the following into
v3.ext
, and then save the file
Copy to clipboardauthorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost
- Create a file named
- Generate certificates and keys
Navigate to/private/etc/ssl/
and then perform the following- Generate an RSA private key
Copy to clipboardsudo openssl genrsa -des3 -out /private/etc/ssl/rootCA.key 2048
- You will be asked for a password and a few other questions
- Generate the root certificate which will be valid for 1024 days
Copy to clipboardsudo openssl req -x509 -new -nodes -key /private/etc/ssl/rootCA.key -sha256 -days 1024 -out /private/etc/ssl/rootCA.pem
- Create the private key for the certificate
Copy to clipboardsudo openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf
- Generate the certificate
Copy to clipboardsudo openssl x509 -req -in server.csr -CA /private/etc/ssl/rootCA.pem -CAkey /private/etc/ssl/rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
- To verify the certificate has the SAN (needed to work in some browsers)
Copy to clipboardopenssl x509 -text -in server.crt -noout
- The output should contain this line:
Copy to clipboardX509v3 Subject Alternative Name: DNS:localhost
- The output should contain this line:
- Generate an RSA private key
- Set Apache configurations
- Make sure the and
ssl_module
andsocache_shmcb_module
are loaded in the Apache Configuration file at/usr/local/etc/httpd/httpd.conf
by uncommenting the following lines:
LoadModule ssl_module lib/httpd/modules/mod_ssl.so
LoadModule socache_shmcb_module lib/httpd/modules/mod_socache_shmcb.so
Note: there are different types of socache modules - uncomment the one that matches the uncommented module used in the/private/etc/apache2/extra/httpd-ssl.conf
file you edited at the beginning of these instructions - Restart Apache
Copy to clipboardsudo apachectl restart
- Make sure the and
- Go to
https://localhost/
and see if it works!