macOS Development and Self-signed SSL Certificates
Sometimes we have to work around the fact that SSL certificates in development don’t work out of the box. The local environment can load in a self-sign SSL certificate, but it won’t be valid. Let's fix that!
Install OpenSSL (using brew)
brew install openssl
To learn more about Homebrew read this page.
Generating a Self-signed Certificate
Homebrew does not symlink OpenSSL, so we'll use the absolute path to the installed binary:
/usr/local/Cellar/openssl/1.0.2s/bin/openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
- Edit the path to the openssl binary file as neeed.
Now we generate the key by typing this:
/usr/local/Cellar/openssl/1.0.2s/bin/openssl rsa -passin pass:x -in server.pass.key -out server.key
Now type the information that would be included in the certificate. Since this is a self-signed certificate, there is no need to provide the challenge password (to leave it blank, press enter):
/usr/local/Cellar/openssl/1.0.2s/bin/openssl req -new -key server.key -out server.csr
Here is an example:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt Generating a 2048 bit RSA private key ..........................+++ ..................................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:FL Locality Name (eg, city) :Mia Organization Name (eg, company) [Internet Widgits Pty Ltd]:Local Dev Industries Organizational Unit Name (eg, section) :Dev Common Name (e.g. server FQDN or YOUR name) :local.dev Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
As a result of executing the above command, you will find a file named server.csr (Certificate Signing Request) file in the same directory.
Now generate a file named auth.dns with the below listed contents:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = <common-name/FQDN used while generating csr>
Create the SSL Certificate utilizing the CSR file created.
/usr/local/Cellar/openssl/1.0.2s/bin/openssl x509 -req -sha256 -extfile auth.dns -days 365 -in server.csr -signkey server.key -out server.crt
Getting macOS to Trust Self-signed SSL Certificates
To get your browser to accept self-generated SSL certificates on macOS to the following:
- Open up Keychain Access.app.
- Drag your server.crt certificate file into Keychain Access.
- Go into the Certificates section and locate the certificate you just added
- Double click on it, enter the trust section and under “When using this certificate” select “Always Trust”
Set the Self-signed Certificate in Apache
Copy the server.crt, server.csr and server.key files to your Apache's conf directory.
Find your Apache's SSL virtualhost configuration file for SSL, usually httpd-ssl.conf in the apache/extra directory, and add/edit these lines:
SSLCertificateFile "/Path/To/Apaches/conf/apache/server.crt" SSLCertificateKeyFile "/Path/To/Apaches/conf/apache/server.key" SSLCertificateChainFile "/Path/To/Apaches/conf/apache/server.crt"
Finally, uncomment the virtualhost line inside Apache's httpd.conf:
Valid Local HTTPS
Chrome and Safari should be set. Firefox is a bit "obnoxious", to make it work on Firefox go to about:config page and turn the security.enterprise_roots.enabled setting on.
Now when viewing your website locally your certificate will be trusted.