navigation bar top
navigation bar logonavigation item HOMEnavigation item SOFTWAREnavigation item ABOUT MEnavigation item PICTURESnavigation item FUNnavigation item LINKSnavigation bar tail
navigation bar bottomnavigation bar highlight line sectionnavigation bar highlight line sectionnavigation bar highlight line sectionnavigation bar highlight line sectionnavigation bar highlight line sectionnavigation bar highlight line sectionnavigation bar highlight line tail
Software > Mac OS X Packages > Tips and Documents > Configuring mod_ssl on Mac OS X

Configuring mod_ssl on Mac OS X

Here are some instructions for getting the mod_ssl module that comes with Apache on Mac OS X up and running. This is for Apache 2 on Mac OS X 10.6 and later.

Open a terminal window and type in these commands:

You need an SSL server certificate. You have two choices:

  1. If you just want to play around with an SSL web server, you can generate what is called a self-signed certificate. It will not be recognized by the web browsers, and they will display error messages (which the users can dismiss, and the traffic that's exchanged with the server will still be encrypted.)

    If this is what you want, issue this command (all on one line):
    openssl req -keyout privkey-$(date +%Y-%m).pem -newkey rsa:2048 -nodes -x509 -days 365 -out cert-$(date +%Y-%m).pem
    This will give you a server certificate that you can use right away.
     
  2. If you want to use the SSL web server for real users with real content, you have to get a server certificate from a certification authority (CA) like Thawte.
    In this case, you have to generate a certificate signing request (CSR) which, along with information about your business, is sent to the CA. They will eventually give you the server certificate that you need to complete this installation.
     
    If this is what you want, issue this command now:
    openssl req -keyout privkey-$(date +%Y-%m).pem -newkey rsa:2048 -nodes -out req-$(date +%Y-%m).pem
    This will create the CSR in the file req-YYYY-MM.pem. You'll need it when you request the certificate with the CA you choose.
    After you get your certificate from the CA, save it into the file /etc/apache2/cert-YYYY-MM.pem.
    If you have it in the clipboard (including the BEGIN and END lines), you can use this to put it into the file:
    pbpaste > /etc/apache2/cert-YYYY-MM.pem.
    You have to wait for the certificate, don't proceed with these instructions before you were able to create the cert file.

In either case, you have to fill out some information. An example session is given here (User answers emphasized):

Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Zurich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Entropy
Organizational Unit Name (eg, section) []:Secure Server Administration
Common Name (eg, YOUR name) []:www.entropy.ch
Email Address []:liyanage@access.ch

It's important that you enter the host name of your web server exactly as it will be used later on in the Common Name field, like www.yourdomain.com or ssl.yourdomain.com.

Make sure that TextEdit is not running, then type these lines into the terminal window:

The Apache config file opens. Save a copy for backup purposes. Then insert the following at the end of the file:

<IfModule mod_ssl.c>

    Listen 80
    Listen 443

    SSLCertificateFile /etc/apache2/cert-YYYY-MM.pem
    SSLCertificateKeyFile /etc/apache2/privkey-YYYY-MM.pem

    <VirtualHost _default_:443>
        SSLEngine on
    </VirtualHost>

</IfModule>

Finally, type

apachectl stop
apachectl start

to restart the web server (or toggle it in the Sharing control panel).

You should now be able to access the content with https://127.0.0.1 from the same machine.

15. February 2011