Apache SSL on Mac OSX

Recently I needed to configure a virtual host with SSL, after struggling a bit here is a step-by-step on how to do it.

I tested these steps on Mac OSX 10.9, also known as Mavericks, but this should work fine in other OSes running Apache. Of course this set of instructions may or may not need some adjustments to suit your environment.

1. Generate the host key

We need to generate a key for the server. Remember do NOT enter a pass phrase for this key, when prompted just leave it blank.

mkdir /private/etc/apache2/ssl
cd /private/etc/apache2/ssl
sudo ssh-keygen -f server.key

2. Create the certificate request file

This file should have some info about your org that will be used in the SSL certificate. You will be asked some questions, just answer them freely.

sudo openssl req -new -key server.key -out request.csr

3. SSL Certificate

Now it's time to create the self-signed certificate. You do this by executing:

sudo openssl x509 -req -days 365 -in request.csr -signkey server.key -out server.crt

4. Apache Time!

We now have the certificate and it's time to configure Apache.

First of all make a backup of your configuration file /private/etc/apache2/httpd.conf, just in case this goes south.

Enable SSL Module

Go to /private/etc/apache2/httpd.conf and verify that the SSL module is enabled (this means that the line loading the module should be uncommented), e.g.

LoadModule ssl_module libexec/apache2/mod_ssl.so
#This is a comment so if the line above has the # just remove it

Include SSL conf file

In the same file, make sure this line is also uncommented.

Include /private/etc/apache2/extra/httpd-ssl.conf

Include your previously created SSL files in the config

Now go to /private/etc/apache2/extra/httpd-ssl.conf and change these two lines:

SSLCertificateFile "/private/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/private/etc/apache2/ssl/server.key"

Comment unnecessary lines

Same file as above. Comment (add a # at the beginning of the line) the lines that start with:

SSLCACertificatePath
SSLCARevocationPath

5. Configure the virtual host

You are almost ready, just need to configure a vhost that uses your newly configured SSL.

So make sure your vhosts config file is included in /private/etc/apache2/httpd.conf.

This line should be uncommented:

Include /private/etc/apache2/extra/httpd-vhosts.conf

Then go to /private/etc/apache2/extra/httpd-vhosts.conf and add NameVirtualHost *:443 below the line that says NameVirtualHost *:80.

Now you can configure a SSL vhost like this:

<VirtualHost *:443>
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /private/etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /private/etc/apache2/ssl/server.key
    ServerName somename
    DocumentRoot "/path/to/some/directory/"
</VirtualHost>

6. Restart Apache

Finally you have to restart Apache and you are all done.

sudo apachectl restart

Note: You can check apache configuration before restarting it by executing:

sudo apachectl configtest

You can now go to https://somename and enjoy your site.