Using mkcert to Set Up Local SSL on macOS's Built in Apache
A little under a year ago I wrote a walkthrough: Set up a Self Signed Certificate on macOS's Built in Apache.
Recently a new tool showed up called mkcert has come and made life way easier.
It's a wonderful tool that instead of building Self-Signed Certificates, sets your local machine up with a certificate signing authority and creates valid certificates.
You can read more about how it works at the link above. Needless to say, the process is much less painful than creating self signed certificates.
The easiest way to install
mkcert is via Homebrew.
mkcert we should also install
nss which helps
mkcert set up Firefox to respect its certificates.
$ brew install mkcert nss
Once that's complete, we need
mkcert to set itself up as a signing authority on our local machine.
$ mkcert -install
Creating the Certificates
Once we have
mkcert set up, the next step is to generate the certificates for the intended local domain(s).
You may include multiple domains or wildcard subdomains. You can find more information about
mkcert's capabilities here.
$ mkdir /tmp/crt && cd /tmp/crt $ mkcert local.example.com
You should get an output something like as follows
Using the local CA at "/Users/user/Library/Application Support/mkcert" ✨ Created a new certificate valid for the following names ???? - "local.example.com" The certificate is at "./local.example.com.pem" and the key at "./local.example.com-key.pem" ✅
Now that we have our certificate, we can move it into the apache /etc directory:
$ sudo mkdir /etc/apache2/ssl $ sudo mv *.pem /etc/apache2/ssl
Next, all we need to do is configure Apache.
Apache Configuration section's instructions, stopping and returning here before the "Chrome / Safari Configuration" section on my previous post.
When you reach the portion about configuring your VirtualHosts, the only difference is the filenames will look more akin to this pattern:
SSLEngine on SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.pem" SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com-key.pem"
Unlike the prior walkthrough which restarted Apache with a reboot, we instead now only need to restart Apache.
$ sudo apachectl restart
And we're done! Unlike setting up a self signed certificate, we do not need to add anything to our keychain or browsers. We are ready to go, your certificate should work as expected.