These instructions will guide you through the process of setting up a wildcard SSL for your local virtualhosts for offline development. Most importantly, this configuration will give you the happy, green lock in Chrome.
These instructions have only been tested on Mac OS Sierra using the pre-installed Apache and PHP versions. These instructions also assume you have virtualhosts set up locally already.
In Terminal, create a SSL directory where domain
is the name of your domain.
sudo mkdir /etc/apache2/ssl/domain
Edit domain.conf
and add the following configurations.
You can add any additional localhosts you want to have protected by this certificate. Under [alt_names]
add additional DNS.X
where X
is in iterative number and add whatever ServerName
or ServerAlias
you want protected.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain.dev
In Terminal generate Certificate Requests using the OpenSSL configuration. Replacing the defaults in the -subj
variable as you see fit.
sudo openssl genrsa -out /etc/apache2/ssl/domain/domain.key 2048
sudo openssl rsa -in /etc/apache2/ssl/domain/domain.key -out /etc/apache2/ssl/domain/domain.key.rsa
sudo openssl req -new -key /etc/apache2/ssl/domain/domain.key.rsa -subj /CN=domain.dev -out /etc/apache2/ssl/domain/domain.csr -config /etc/apache2/ssl/domain/domain.conf
sudo openssl x509 -req -extensions v3_req -days 365 -in /etc/apache2/ssl/domain/domain.csr -signkey /etc/apache2/ssl/domain/domain.key.rsa -out /etc/apache2/ssl/domain/domain.crt -extfile /etc/apache2/ssl/domain/domain.conf
Finally, add the later SSL certificate to Keychain Access. I recommend backing up System.keychain
before doing this.
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/apache2/ssl/domain/domain.crt
In Terminal, edit the Apache configuration.
sudo nano /etc/apache2/httpd.conf
Within your editor, uncomment the following lines to enable modules required by HTTPS and include httpd-ssl.conf
.
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so
Include /private/etc/apache2/extra/httpd-ssl.conf
Open your virtualhost file (e.g. httpd-vhosts.conf
or /etc/apache2/virtualhosts/virtualhost
) and add a 443 VirtualHost name and localhost Directive at the end of the file, replacing username with your user name. This assuming you have <VirtualHost *:80>
already configured as well, but not required if you'll only ever use SSL.
<VirtualHost *:443>
ServerName domain.dev
DocumentRoot "/Users/username/Sites/domain"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/domain/domain.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain/domain.key
<Directory "/Users/username/Sites/domain">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
In Terminal check your configuration:
sudo apachectl configtest
If there aren't any issues or you resolved them, then restart Apache:
sudo apachectl restart
Now, in a web browser, visit https://domain. The domain should appear trusted.
I get
unable to find 'distinguished_name' in config
with the commandsudo openssl req -new -key /etc/apache2/ssl/domain/domain.key.rsa -subj /CN=domain.dev -out /etc/apache2/ssl/domain/domain.csr -config /etc/apache2/ssl/domain/domain.conf