macOS Development and Self-signed SSL Certificates
Sometimes we have to work around the fact that SSL certificates in development don’t work out of the box. The local environment can load in a self-sign SSL certificate, but it won’t be valid. Let's fix that!
Install OpenSSL (using brew)
brew install openssl
To learn more about Homebrew read this page.
Generating a Self-signed Certificate
Homebrew does not symlink OpenSSL, so we'll use the absolute path to the installed binary:
/usr/local/Cellar/openssl/1.0.2s/bin/openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
- Edit the path to the openssl binary file as neeed.
Now we generate the key by typing this:
/usr/local/Cellar/openssl/1.0.2s/bin/openssl rsa -passin pass:x -in server.pass.key -out server.key
Now type the information that would be included in the certificate. Since this is a self-signed certificate, there is no need to provide the challenge password (to leave it blank, press enter):
/usr/local/Cellar/openssl/1.0.2s/bin/openssl req -new -key server.key -out server.csr
Here is an example:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt
Generating a 2048 bit RSA private key
..........................+++
..................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:Mia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Local Dev Industries
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:local.dev
Email Address []:no@mail.dev
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
As a result of executing the above command, you will find a file named server.csr (Certificate Signing Request) file in the same directory.
Now generate a file named auth.dns with the below listed contents:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <common-name/FQDN used while generating csr>
Create the SSL Certificate utilizing the CSR file created.
/usr/local/Cellar/openssl/1.0.2s/bin/openssl x509 -req -sha256 -extfile auth.dns -days 365 -in server.csr -signkey server.key -out server.crt
Getting macOS to Trust Self-signed SSL Certificates
To get your browser to accept self-generated SSL certificates on macOS to the following:
- Open up Keychain Access.app.
- Drag your server.crt certificate file into Keychain Access.
- Go into the Certificates section and locate the certificate you just added
- Double click on it, enter the trust section and under “When using this certificate” select “Always Trust”
Set the Self-signed Certificate in Apache
Copy the server.crt, server.csr and server.key files to your Apache's conf directory.
Find your Apache's SSL virtualhost configuration file for SSL, usually httpd-ssl.conf in the apache/extra directory, and add/edit these lines:
SSLCertificateFile "/Path/To/Apaches/conf/apache/server.crt"
SSLCertificateKeyFile "/Path/To/Apaches/conf/apache/server.key"
SSLCertificateChainFile "/Path/To/Apaches/conf/apache/server.crt"
Finally, uncomment the virtualhost line inside Apache's httpd.conf:
Include /path/to/apache/conf/apache/extra/httpd-ssl.conf
Restart Apache!
Valid Local HTTPS
Chrome and Safari should be set. Firefox is a bit "obnoxious", to make it work on Firefox go to about:config page and turn the security.enterprise_roots.enabled setting on.
Now when viewing your website locally your certificate will be trusted.
{{ 'Comments (%count%)' | trans {count:count} }}
{{ 'Comments are closed.' | trans }}