Skip to content

Instantly share code, notes, and snippets.

@nrollr
Last active November 13, 2024 10:41
Show Gist options
  • Save nrollr/4daba07c67adcb30693e to your computer and use it in GitHub Desktop.
Save nrollr/4daba07c67adcb30693e to your computer and use it in GitHub Desktop.
Enable SSL in Apache for 'localhost' (OSX, El Capitan)

Enable SSL in Apache (OSX)

The following will guide you through the process of enabling SSL on a Apache webserver

  • The instructions have been verified with OSX El Capitan (10.11.2) running Apache 2.4.16
  • The instructions assume you already have a basic Apache configuration enabled on OSX, if this is not the case feel free to consult Gist: "Enable Apache HTTP server (OSX)"

Apache SSL Configuration

Create a directory within /etc/apache2/ using Terminal.app: sudo mkdir /etc/apache2/ssl
Next, generate two host keys:

sudo openssl genrsa -out /etc/apache2/server.key 2048
sudo openssl genrsa -out /etc/apache2/ssl/localhost.key 2048
sudo openssl rsa -in /etc/apache2/ssl/localhost.key -out /etc/apache2/ssl/localhost.key.rsa

Create a configuration file using Terminal.app: sudo touch /etc/apache2/ssl/localhost.conf
Edit the newly created configuration file and add the following:

[req]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = *.localhost

Generate the required Certificate Requests using Terminal.app:

sudo openssl req -new -key /etc/apache2/server.key -subj "/C=/ST=/L=/O=/CN=/emailAddress=/" -out /etc/apache2/server.csr
sudo openssl req -new -key /etc/apache2/ssl/localhost.key.rsa -subj "/C=/ST=/L=/O=/CN=localhost/" -out /etc/apache2/ssl/localhost.csr -config /etc/apache2/ssl/localhost.conf

Note: Complete the values C= ST= L= O= CN= to reflect your own organizational structure, where:

  • C= eq. Country: The two-letter ISO abbreviation for your country.
  • ST= eq. State or Province: The state or province where your organization is legally located.
  • L= eq. City or Locality: The city where your organization is legally located.
  • O= eq. Organization: he exact legal name of your organization.
  • CN= eq. Common Name: The fully qualified domain name for your web server

Use the Certificate Requests to sign the SSL Certificates using Terminal.app:

sudo openssl x509 -req -days 365 -in /etc/apache2/server.csr -signkey /etc/apache2/server.key -out /etc/apache2/server.crt
sudo openssl x509 -req -extensions v3_req -days 365 -in /etc/apache2/ssl/localhost.csr -signkey /etc/apache2/ssl/localhost.key.rsa -out /etc/apache2/ssl/localhost.crt -extfile /etc/apache2/ssl/localhost.conf

Add the SSL Certificate to Keychain Access.

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/apache2/ssl/localhost.crt

Apache Configuration

Edit the Apache main configuration file /etc/apache2/httpd.conf and enable the required modules to support SSL :

LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so

Enable Secure (SSL/TLS) connections

Include /private/etc/apache2/extra/httpd-ssl.conf

Apache Virtual Host Configuration

Edit the Virtual Hosts file /etc/apache2/extra/httpd-vhosts.conf and add the SSL Directive at the end of the file:

<VirtualHost *:443>
    ServerName localhost
    DocumentRoot "/Library/WebServer/Documents"

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl/localhost.crt
    SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

    <Directory "/Library/WebServer/Documents">
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted
    </Directory>
</VirtualHost>

Finally restart Apache using Terminal.app : sudo apachectl restart
Open Safari and visit https://localhost to verify your configuration.

@MichaelCesare
Copy link

amazing :) works on first try for my MAC OS with apache2

@smohadjer
Copy link

Thanks, worked on Mac OS Mojave.

@skogarfoss
Copy link

great help - it also works on Mac OS Catalina 10.15.7 and Apache 2.4.46 (installed with homebrew)

@francwalter
Copy link

Thank you very much! I did exactly what is written and it worked initially :)
I got the warning that not trusted but I accepted it and it is gone.

frank
Mac OS 10.11.6 with Apache 2.4 and PHP 7.4

@felixkipyego
Copy link

To fix chrome blocking you
Visit: chrome://flags/#allow-insecure-localhost on chrome and enable "Allow invalid certificates for resources loaded from localhost."

@smohadjer
Copy link

@felixkipyego Or you can use a self-assigned certificate. Then you won't get warnings in any browser. I have documented steps in a gist here: https://gist.github.com/smohadjer/cacacd14eed0881bc576d501cdf98e7d

@dev-xiligroup
Copy link

Congratulations - with 10.13.6 and (from amazing MacPorts) Apache 2.4.46 (Php 7.4.16) and some changes in path (/opt/local/etc/... instead /etc/...) https is working with localhost (or xxxx-i5-imac.local) for website in /Library/WebServer/Documents and in /Users/~loginname/Sites... Bravo ! (a good way to understand ssl and test locally WP web sites in dev...)

@alexzhu2021
Copy link

it returns
Forbidden
You don't have permission to access / on this server.
I fixed it by un-commenting
Include /private/etc/apache2/extra/httpd-vhosts.conf
in /etc/apache2/httpd.conf
I think the guide missed this part.

@HelaGone
Copy link

@Leon16
Copy link

Leon16 commented Aug 8, 2022

Update for installation on macOS 13 (Ventura),Apache/2.4.54 (Unix):

  • in /etc/apache2/httpd.conf file:
    uncomment line - "Include /private/etc/apache2/extra/httpd-vhosts.conf"

  • in /etc/apache2/extra/httpd-ssl.conf file:
    uncomment of remove all lines between the following:

# remove all lines here as otherwise any effective directives here will override settings in "/etc/apache2/extra/httpd-vhost.conf" file

@zukilover
Copy link

Listen 443

Thanks, this helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment