Skip to content

Instantly share code, notes, and snippets.

@ethicka
Forked from jonathantneal/README.md
Last active April 12, 2024 12:26
Show Gist options
  • Save ethicka/1ba103638d92974487b2 to your computer and use it in GitHub Desktop.
Save ethicka/1ba103638d92974487b2 to your computer and use it in GitHub Desktop.
Local virtualhost SSL websites on Mac OS Sierra

Local virtualhost SSL websites on Mac OS Sierra

These instructions will guide you through the process of setting up a wildcard SSL for your local virtualhosts for offline development. Most importantly, this configuration will give you the happy, green lock in Chrome.

These instructions have only been tested on Mac OS Sierra using the pre-installed Apache and PHP versions. These instructions also assume you have virtualhosts set up locally already.


Configuring SSL

In Terminal, create a SSL directory where domain is the name of your domain.

sudo mkdir /etc/apache2/ssl/domain

Edit domain.conf and add the following configurations.

You can add any additional localhosts you want to have protected by this certificate. Under [alt_names] add additional DNS.X where X is in iterative number and add whatever ServerName or ServerAlias you want protected.

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = domain.dev

In Terminal generate Certificate Requests using the OpenSSL configuration. Replacing the defaults in the -subj variable as you see fit.

sudo openssl genrsa -out /etc/apache2/ssl/domain/domain.key 2048
sudo openssl rsa -in /etc/apache2/ssl/domain/domain.key -out /etc/apache2/ssl/domain/domain.key.rsa
sudo openssl req -new -key /etc/apache2/ssl/domain/domain.key.rsa -subj /CN=domain.dev -out /etc/apache2/ssl/domain/domain.csr -config /etc/apache2/ssl/domain/domain.conf
sudo openssl x509 -req -extensions v3_req -days 365 -in /etc/apache2/ssl/domain/domain.csr -signkey /etc/apache2/ssl/domain/domain.key.rsa -out /etc/apache2/ssl/domain/domain.crt -extfile /etc/apache2/ssl/domain/domain.conf

Finally, add the later SSL certificate to Keychain Access. I recommend backing up System.keychain before doing this.

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/apache2/ssl/domain/domain.crt

Setting up a Trusted Virtual Host

In Terminal, edit the Apache configuration.

sudo nano /etc/apache2/httpd.conf

Within your editor, uncomment the following lines to enable modules required by HTTPS and include httpd-ssl.conf.

LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so
Include /private/etc/apache2/extra/httpd-ssl.conf

Open your virtualhost file (e.g. httpd-vhosts.conf or /etc/apache2/virtualhosts/virtualhost) and add a 443 VirtualHost name and localhost Directive at the end of the file, replacing username with your user name. This assuming you have <VirtualHost *:80> already configured as well, but not required if you'll only ever use SSL.

<VirtualHost *:443>
    ServerName domain.dev
    DocumentRoot "/Users/username/Sites/domain"

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/domain/domain.crt
    SSLCertificateKeyFile /etc/apache2/ssl/domain/domain.key

    <Directory "/Users/username/Sites/domain">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

In Terminal check your configuration:

sudo apachectl configtest

If there aren't any issues or you resolved them, then restart Apache:

sudo apachectl restart

Now, in a web browser, visit https://domain. The domain should appear trusted.

@rlaurente
Copy link

It's not working on my end. I think you are missing this part

generating apache2 keys
sudo openssl genrsa -out /etc/apache2/server.key 2048
sudo openssl req -new -key /etc/apache2/server.key -subj "/C=/ST=/L=/O=/CN=/emailAddress=/" -out /etc/apache2/server.csr
sudo openssl x509 -req -days 365 -in /etc/apache2/server.csr -signkey /etc/apache2/server.key -out /etc/apache2/server.crt

generating domain key
sudo openssl genrsa -out /etc/apache2/ssl/domain/domain.key 2048

Thanks

@ethicka
Copy link
Author

ethicka commented Sep 5, 2017

Thanks! Fixed.

@mvaneijgen
Copy link

I get unable to find 'distinguished_name' in config with the command sudo openssl req -new -key /etc/apache2/ssl/domain/domain.key.rsa -subj /CN=domain.dev -out /etc/apache2/ssl/domain/domain.csr -config /etc/apache2/ssl/domain/domain.conf

@macdonaldr93
Copy link

Worked for me! Thank you.

Only additional step I had to do was add my certs to /etc/apache2/extra/httpd-ssl.conf.

  • Add SSLCertificateFile
  • Add SSLCertificateKeyFile

@mapicard
Copy link

mapicard commented Jun 7, 2018

Not enough thumbs up for this post!!!
And thanks for leaving the revisions, they were very helpful for me.

@javierojeda94
Copy link

Worked for me as well!

Just as @macdonaldr93, I had to update my /etc/apache2/extra/httpd-ssl.conf file to add the generated .crt and .key files

@kshitijdeota
Copy link

Not enough thumbs up for this post!!!
And thanks for leaving the revisions, they were very helpful for me.

I second that! Thanks a ton @ethicka @macdonaldr93 !

@petenice
Copy link

Thank you, this was very helpful

@jun-gh
Copy link

jun-gh commented Mar 24, 2020

Did not worked for me this time. I managed to get it working few years ago.
I updated from Sierra to Mojave.
Need help. TIA

Screen Shot 2020-03-25 at 3 28 59 AM

Screen Shot 2020-03-25 at 3 29 44 AM

@RickHorowitz
Copy link

Firefox is not working correctly for me because it just keeps saying there is a security risk ahead, because the certificate is self-signed.

  Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for  
  XXXXXX.localhost.

   Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

XXXXXX is where I'm putting the domain name, so if I were trying to go to https://cats.localhost, then XXXXXX would be cats.

I've looked at about six different web pages that talk about how to create SSL certificates for local development, and I'm getting nowhere. BTW, I had previously tried using MAMP Pro for development, but was limited on versions of MySQL, so I have been manually setting up the httpd and mysql servers.

I just cannot seem to get things working correctly, especially for https.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment