macOS Development and Self-signed SSL Certificates

Sometimes we have to work around the fact that SSL certificates in development don’t work out of the box. The local environment can load in a self-sign SSL certificate, but it won’t be valid. Let's fix that!

Install OpenSSL (using brew)

brew install openssl

To learn more about Homebrew read this page.

Generating a Self-signed Certificate

Homebrew does not symlink OpenSSL, so we'll use the absolute path to the installed binary:

/usr/local/Cellar/openssl/1.0.2s/bin/openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
  • Edit the path to the openssl binary file as neeed.

Now we generate the key by typing this:

/usr/local/Cellar/openssl/1.0.2s/bin/openssl rsa -passin pass:x -in server.pass.key -out server.key

Now type the information that would be included in the certificate. Since this is a self-signed certificate, there is no need to provide the challenge password (to leave it blank, press enter):

/usr/local/Cellar/openssl/1.0.2s/bin/openssl req -new -key server.key -out server.csr

Here is an example:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt
Generating a 2048 bit RSA private key
..........................+++
..................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:Mia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Local Dev Industries
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:local.dev
Email Address []:no@mail.dev

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

As a result of executing the above command, you will find a file named server.csr (Certificate Signing Request) file in the same directory.

Now generate a file named auth.dns with the below listed contents:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = <common-name/FQDN used while generating csr>

Create the SSL Certificate utilizing the CSR file created.

 /usr/local/Cellar/openssl/1.0.2s/bin/openssl x509 -req -sha256 -extfile auth.dns -days 365 -in server.csr -signkey server.key -out server.crt

Getting macOS to Trust Self-signed SSL Certificates

To get your browser to accept self-generated SSL certificates on macOS to the following:

  1. Open up Keychain Access.app.
  2. Drag your server.crt certificate file into Keychain Access.
  3. Go into the Certificates section and locate the certificate you just added
  4. Double click on it, enter the trust section and under “When using this certificate” select “Always Trust

Set the Self-signed Certificate in Apache

Copy the server.crt, server.csr and server.key files to your Apache's conf directory.

Find your Apache's SSL virtualhost configuration file for SSL, usually httpd-ssl.conf in the apache/extra directory, and add/edit these lines:

SSLCertificateFile "/Path/To/Apaches/conf/apache/server.crt"
SSLCertificateKeyFile "/Path/To/Apaches/conf/apache/server.key"
SSLCertificateChainFile "/Path/To/Apaches/conf/apache/server.crt"

Finally, uncomment the virtualhost line inside Apache's httpd.conf:

Include /path/to/apache/conf/apache/extra/httpd-ssl.conf

Restart Apache!

Valid Local HTTPS

Chrome and Safari should be set. Firefox is a bit "obnoxious", to make it work on Firefox go to about:config page and turn the security.enterprise_roots.enabled setting on.

Now when viewing your website locally your certificate will be trusted.

Https

{{ message }}

{{ 'Comments are closed.' | trans }}