Recently, some of my friends ask me on how did I enable self-signed certificate in my Mac OSX for localhost development. In this post, I will teach you how to trust self-signed certificate for Apache2 in your Mac to enable the green lock icon in your browser.
By default, Mac OSX already have Apache2 and OpenSSL installed. The first this we need to do is enable
in Apache2 configuration
/etc/apache2/httpd.conf and enable the
httpd-ssl.conf config near the end of the file.
Open you preferred terminal and execute the following commands:
sudo vim /etc/apache2/httpd.conf
In the command above, I used
vim editor. But you can also use
nano or other command line text editor you prefer.
## Uncomment the socache_shmcb_module LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so ## Uncomment the ssl_module LoadModule ssl_module libexec/apache2/mod_ssl.so ## Uncomment httpd-ssh.conf Include /private/etc/apache2/extra/httpd-ssl.conf
Then, create your own self-signed certificate.
Edit the openssl file
/etc/ssl/openssl.cnf and append
[ san ] section (knows as
Subject Alt Name) at the end of the file.
sudo vim /etc/ssl/openssl.cnf
[ san ] subjectAltName = DNS:localhost
By adding the above section in the
openssl.cnf file, we will be generating certificate for
Fortunately, we can add more DNS host names besides
localhost in a single self-signed certificate.
Just add a custom section and use it in the
[ san ] subjectAltName = @alt_names [ alt_names ] DNS.1 = localhost DNS.2 = *.localhost
The above settings is useful if you have multiple virtual hosts with different server names.
By doing this, you don't have to generate another certificate for a specific virtual host or server name.
Just follow the format
DNS.<number> = <hostname or wildcard>.
This also handles wildcard for server alias.
Run the command below to generate the certificate and key file.
sudo openssl req -extensions san -config /etc/ssl/openssl.cnf -x509 -nodes -newkey rsa:4096 -keyout /private/etc/apache2/server.key -out /private/etc/apache2/server.crt -days 365 -subj "/C=PH/ST=MetroManila/L=Makati/O=WebDevelopment/CN=localhost"
- Note that you can change the subject part with your preferred details.
C=PH ST=MetroManila L=Makati O=WebDevelopment CN=localhost
- You can even increase the value of
-days(let's say 9999) instead of just 365 so you don't have to generate again after a year.
- For the CN(Common Name) part, I recommend to retain the value as
The command will generate 2 files, the certificate file
the certificate key file
These files are required by
as the values for
Next, check the config file by running this command:
sudo cat /private/etc/apache2/extra/httpd-ssl.conf
Then verify if the following lines are uncommented.
Listen 443 SSLEngine on SSLCertificateFile "/private/etc/apache2/server.crt" SSLCertificateKeyFile "/private/etc/apache2/server.key"
After that, check if the changes in Apache2 configurations are valid.
configtest argument in
sudo apachectl configtest
Before proceeding, make sure that the
configtest output is
Now, run this command to add the generated certificate to your Mac's KeyChain and trust the self-signed certificate
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/etc/apache2/server.crt
Once done adding the certificate to keychain, restart the Apache2 instance
sudo apachectl restart
You should now be able to access https://localhost/ on your Mac OSX with the green lock icon in the omnibox like in the image below.
If the Not Secure or the page still displays Connection is not Private, try to close your browser and reopen it again. If reopening the browser doesn't work, double check your the Apache2, VHost or SSL configuration.