Space Cat, Prince Among Thieves

Using mkcert to Set Up Local SSL on macOS's Built in Apache

A little under a year ago I wrote a walkthrough: Set up a Self Signed Certificate on macOS's Built in Apache.

Recently a new tool showed up called mkcert has come and made life way easier.

It's a wonderful tool that instead of building Self-Signed Certificates, sets your local machine up with a certificate signing authority and creates valid certificates.

You can read more about how it works at the link above. Needless to say, the process is much less painful than creating self signed certificates.

Installing mkcert

The easiest way to install mkcert is via Homebrew.

Beyond mkcert we should also install nss which helps mkcert set up Firefox to respect its certificates.

$ brew install mkcert nss

Once that's complete, we need mkcert to set itself up as a signing authority on our local machine.

$ mkcert -install

Creating the Certificates

Once we have mkcert set up, the next step is to generate the certificates for the intended local domain(s).

You may include multiple domains or wildcard subdomains. You can find more information about mkcert's capabilities here.

$ mkdir /tmp/crt && cd /tmp/crt
$ mkcert local.example.com

You should get an output something like as follows

Using the local CA at "/Users/user/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names ????
 - "local.example.com"

The certificate is at "./local.example.com.pem" and the key at "./local.example.com-key.pem" ✅

Now that we have our certificate, we can move it into the apache /etc directory:

$ sudo mkdir /etc/apache2/ssl
$ sudo mv *.pem /etc/apache2/ssl

Apache Configuration

Next, all we need to do is configure Apache.

Follow the Apache Configuration section's instructions, stopping and returning here before the "Chrome / Safari Configuration" section on my previous post.

When you reach the portion about configuring your VirtualHosts, the only difference is the filenames will look more akin to this pattern:

  SSLEngine on
  SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.pem"
  SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com-key.pem"

Unlike the prior walkthrough which restarted Apache with a reboot, we instead now only need to restart Apache.

$ sudo apachectl restart

And we're done! Unlike setting up a self signed certificate, we do not need to add anything to our keychain or browsers. We are ready to go, your certificate should work as expected.


Comment by: George Wilder on

George Wilder's Gravatar Works great!! Thanks. I followed your original post, and that did work. But this new procedure is much easier--as you noted.

Comment by: Raffaele on

Raffaele's Gravatar This works! The certificates generated with the other post's procedure, is giving issues with the latest release of macOS (10.15.1)

Email address will never be publicly visible.

See my Tweet about comment formatting.