Configure SSL (https) connections in your local Apache web server, on macOS Ventura

Assuming you already have Apache HTTP web server installed locally, you can now enable the secure connections (https) to it.

First, we need to create the ssl folder (if it does not exists yet) and move to it

mkdir /usr/local/etc/httpd/ssl
cd /usr/local/etc/httpd/ssl

Create the server key (just press enter when asked for password)

sudo ssh-keygen -m PEM -f server.key

• -m PEM: This option specifies the format for the generated key files. In this case, you’re specifying that the keys should be in the PEM (Privacy Enhanced Mail) format. PEM is a widely used format for storing cryptographic keys and certificates. Other possible formats include OpenSSH (the default), RFC4716, and others.
• -f server.key: This option specifies the filename for the private key file that will be generated. In this case, the private key will be saved in a file named „server.key.” Typically, a corresponding public key file with the same name but with a „.pub” extension will also be generated in the same directory.

Create a certificate request file (enter info or leave blank when asked various questions)

sudo openssl req -new -key server.key -out request.csr

• req: This is a subcommand of OpenSSL specifically used for certificate requests and related operations.
• -new: This option tells OpenSSL to generate a new CSR. It means you’re creating a CSR from scratch, as opposed to modifying an existing one.
• -key server.key: This option specifies the private key to be associated with the CSR. In this case, you’re using the private key from a file named „server.key.” The CSR will be generated with the corresponding public key.
• -out request.csr: This option specifies the output file where the CSR will be saved. In this case, the CSR will be saved as „request.csr.”

Create a SSL certificate file from the request file.

sudo openssl x509 -req -days 99999 -in request.csr -signkey server.key -out server.crt

• x509: This is a subcommand of OpenSSL used for working with X.509 digital certificates.
• -req: This option specifies that you are working with a CSR (Certificate Signing Request).
• -days 99999: This option specifies the number of days for which the generated certificate will be valid. In this case, it’s set to 99,999 days, which is roughly equivalent to 273 years. You can adjust this value as needed based on your certificate’s intended lifespan.
• -in request.csr: This option specifies the input CSR file to be signed. In this case, you’re signing the CSR located in the file „request.csr.”
• -signkey server.key: This option specifies the private key to be used for signing the CSR. You’re using the private key from the „server.key” file to sign the CSR and generate the certificate.
• -out server.crt: This option specifies the output file where the signed certificate will be saved. In this case, the signed certificate will be saved as „server.crt.”

Open /usr/local/etc/httpd/httpd.conf and make sure you have the following 3 lines in it (if not, add them. If they are there is but have a # sign at the beginning, remove the # sign)

Listen 443
LoadModule ssl_module libexec/apache2/mod_ssl.so
Include /usr/local/etc/httpd/extra/httpd-ssl.conf

Open /usr/local/etc/httpd/extra/httpd-ssl.conf, search for the lines containing SSLCertificateFile and SSLCertificateKeyFile and update them to the below state:

SSLCertificateFile "/usr/local/etc/httpd/ssl/server.crt"
SSLCertificateKeyFile "/usr/local/etc/httpd/ssl/server.key"

Restart the Apache HTTP web server

brew services restart httpd