Trust Self-Signed Certificate for Apache2 in Mac OSX

Recently, some of my friends ask me on how did I enable self-signed certificate in my Mac OSX for localhost development. In this post, I will teach you how to trust self-signed certificate for Apache2 in your Mac to enable the green lock icon in your browser.

By default, Mac OSX already have Apache2 and OpenSSL installed. The first this we need to do is enable ssl_module and socache_shmcb_module in Apache2 configuration /etc/apache2/httpd.conf and enable the httpd-ssl.conf config near the end of the file.

Open you preferred terminal and execute the following commands:

sudo vim /etc/apache2/httpd.conf

In the command above, I used vim editor. But you can also use nano or other command line text editor you prefer.

## Uncomment the socache_shmcb_module
LoadModule socache_shmcb_module libexec/apache2/

## Uncomment the ssl_module
LoadModule ssl_module libexec/apache2/

## Uncomment httpd-ssh.conf
Include /private/etc/apache2/extra/httpd-ssl.conf

Then, create your own self-signed certificate. Edit the openssl file /etc/ssl/openssl.cnf and append [ san ] section (knows as Subject Alt Name) at the end of the file.

sudo vim /etc/ssl/openssl.cnf
[ san ]
subjectAltName = DNS:localhost

By adding the above section in the openssl.cnf file, we will be generating certificate for localhost only. Fortunately, we can add more DNS host names besides localhost in a single self-signed certificate. Just add a custom section and use it in the subjectAltName.

[ san ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
DNS.2 = *.localhost

The above settings is useful if you have multiple virtual hosts with different server names. By doing this, you don’t have to generate another certificate for a specific virtual host or server name. Just follow the format DNS.<number> = <hostname or wildcard>. This also handles wildcard for server alias.

Run the command below to generate the certificate and key file.

sudo openssl req -extensions san -config /etc/ssl/openssl.cnf -x509 -nodes -newkey rsa:4096 -keyout /private/etc/apache2/server.key -out /private/etc/apache2/server.crt -days 365 -subj "/C=PH/ST=MetroManila/L=Makati/O=WebDevelopment/CN=localhost"
  • Note that you can subject part with your preferred details /C=PH/ST=MetroManila/L=Makati/O=WebDevelopment/CN=localhost.
  • You can even increase the value of -days (let’s say 9999) instead of just 365 so you don’t have to generate again after a year.
  • For the CN (Common Name) part, I recommend to retain the value as localhost.

The command will generate 2 files, the certificate file /private/etc/apache2/server.crt and the certificate key file /private/etc/apache2/server.key.

These files are required by /private/etc/apache2/extra/httpd-ssl.conf as the values for SSLCertificateFile and SSLCertificateKeyFile.

Next, check the config file by running this command:

sudo cat /private/etc/apache2/extra/httpd-ssl.conf

Then verify if the following lines are uncommented.

Listen 443
SSLEngine on
SSLCertificateFile "/private/etc/apache2/server.crt"
SSLCertificateKeyFile "/private/etc/apache2/server.key"

After that, check if the changes in Apache2 configurations are valid. Run the configtest argument in apache2ctl command

sudo apache2ctl configtest

Before proceeding, make sure that the configtest output is Syntax OK

Now, run this command to add the generated certificate to your Mac’s KeyChain and trust the self-signed certificate

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /private/etc/apache2/server.crt

Once done adding the certificate to keychain, restart the Apache2 instance

sudo apache2ctl restart

You should now be able to access https://localhost/ on your Mac OSX with the green lock icon in the omnibox like in the image below.

If the Not Secure or the page still displays Connection is not Private, try to close your browser and reopen it again. If reopening the browser doesn’t work, double check your the Apache2, VHost or SSL configuration.