SSL/TLS Installation on macOS 10.14 Mojave

Introduction

This how-to will demonstrate how to install an SSL/TLS certificate on macOS 10.14 Mojave. Two scenarios are provided here:

Depending on your situation, you may want to do one or both of these things; for example, if you are setting up a local development environment and want the certificate available to both Apache and client software such as web browsers, you would do both. In both cases we’ll begin by assuming that you generated your certificate signing request (CSR) in Keychain Access, as shown in our how-to. In this case, your private key will already be installed in Keychain Access. We’re also going to assume that validation is complete and your certificate is ready for download. For information on ordering and retrieving certificates, please see our how-to, Ordering and Retrieving SSL/TLS Certificates.

Note: Current versions of macOS Server (5.7.1 and later) no longer support administration of the built-in Apache web server in macOS. For this reason, this how-to requires accessing the command line (via Terminal.app) and directly editing Apache configuration files.

First Steps

1. Download the certificate bundle from your user account, using the Apache download link.

Apache download link

 

2. Unzip the file. It should contain contain your certificate (the filename will be based on the common name in your CSR and end with .crt) and the CA bundle (ca-bundle-client.crt).

Certificate and intermediate bundle

Installing the Certificate in Keychain Access

1. Open Keychain Access.app, located in /Applications/Utilities.

Keychain access

 

2. Select the keychain where your keypair is installed. In this case it’s the System keychain.

System keychain

 

3. Navigate to File > Import Items…

Import Items

 

4. Navigate to your new certificate, select it, and click Open.

Open certificate

 

5. Enter your password and click Modify Keychain.

Modify keychain

 

6. Repeat steps 3-5 above with ca-bundle-client.crt to install the intermediate certificate chain.

7. You can confirm that the certificates have been installed by selecting Certificates from the left sidebar menu.

Confirm installation

Install the Certificate for Apache

1. If you generated your CSR in Keychain Access, you will need to export your private key as a file for use with Apache. Open Keychain Access.app, located in /Applications/Utilities. (If you generated the CSR with OpenSSL or with SSL.com’s CSR Manager you can skip to step 9 below.)

Keychain access

 

2. Using the left sidebar menu to narrow your choices, find and select the private key you wish to export. In this case we are going to export the private key for www.lunchinhouston.com, located in the System keychain.

Locate private key

 

3. Choose File >> Export Items… from the menu.

Export Items

 

4. Make sure that the file format selected is Personal Information Exchange (.p12) and save the file to a place where you will be able to find it.

Save PFX

 

5. Enter your password to unlock the keychain (if prompted), then create a password for the .p12 file and click OK.

Create PFX password

 

6. Open Terminal.app, located in the /Applications/Utilities/ folder, and navigate to the folder where you stored the .p12 file from step 5.

Terminal.app

7. Use openssl to extract the private key from the .p12 file. (Note: substitute the filenames shown here for the name of your .p12 file and and the filename you wish to use for the key). You will be first be prompted to enter the password you created in step 5, then prompted to create and verify a password to protect the private key.

$ openssl pkcs12 -nocerts -in Certificates.p12 -out privkey.key

8. Next, you will need to decrypt the private key. Enter the following command, substituting the names of the input and output files as desired (using the same name as shown below will overwrite the encrypted file). You will be prompted to enter the password you created in step 7.

$ openssl rsa -in privkey.key -out privkey.key

9. Put the private key, certificate, and intermediate bundle files in a secure directory where Apache can read them. For this how-to we will use /private/etc/apache2/. Depending on the location chosen you may need to use sudo to move the files.

10. Open Apache’s main configuration file, httpd.conf, in a text editor. On Mojave standard Apache installation, this file is located in the /private/etc/apache2/ directory. To open the file for editing with nano, execute the following command:

$ sudo nano /private/etc/apache2/httpd.conf
Note: Because you are using sudo to temporarily assume sufficient privileges to edit this file, you will be prompted to enter your password before continuing.

11. Find these lines in httpd.conf and uncomment them by removing the # character at the beginning of each line:

LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
...
LoadModule ssl_module libexec/apache2/mod_ssl.so
...
Include /private/etc/apache2/extra/httpd-vhosts.conf
...
Include /private/etc/apache2/extra/httpd-ssl.conf
Note: if you are using nano to edit httpd.conf, you can search for text strings with Ctrl-W

12. Save httpd.conf and exit the text editor ( Ctrl-O, followed by Ctrl-X in nano ).

13. Next, open httpd-ssl.conf for editing:

$ sudo nano /private/etc/apache2/extra/httpd-ssl.conf

14. Look for the following lines and make sure that Apache is listening on port 443. If the port is set to 8443 or some other value, change it to 443.

#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
Listen 443

15. Search for a line beginning with the string <VirtualHost _default_: (the port number may vary) and comment out or remove all lines between that and </virtualhost>.

16. Save httpd-ssl.conf and exit the text editor.

17. Next, open httpd-vhosts.conf for editing:

$ sudo nano /private/etc/apache2/extra/httpd-vhosts.conf

18. Create a VirtualHost entry for the site you wish to protect (use the actual values for your website and server rather than the placeholder ones shown here), then save the file and exit the text editor.

<VirtualHost *:443>
    DocumentRoot "/PATH/TO/WEBSITE"
    ServerName SERVERNAME
    SSLEngine on
    SSLCertificateFile "/private/etc/apache2/server.crt"
    SSLCertificateKeyFile "/private/etc/apache2/server.key"
    SSLCertificateChainFile "/private/etc/apache2/ca-bundle-client.crt"
</VirtualHost>

19. Check your Apache configuration with the following command:

$ sudo apachectl configtest

20. If all is well, restart Apache:

$ sudo apachectl restart

21. If everything went correctly, you’re done! You should be able to navigate to your HTTPS website in a web browser.

View website in browser

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.