Enabling SSL on Mac OS X Leopard

March 6, 2009

Sometime ago I was asked by someone in the forums if I could assist in setting up SSL on Mac OS X Leopard to enable HTTPS connections. The good news is that after a huge delay, I was able to get this to work, without that much effort. The bad news is that I accomplished this over two different attempts, so my notes may not be foolproof. And, um, I’ve already slightly reconfigured my Apache, so that might come into play. Anyway…

So follow these instructions to make this work. If you have any questions or problems, you can post a comment at the end of this article. In order to pull this off, you will need an administrative password for your computer, a text editor, and the Terminal application. If the Terminal scares you, you probably shouldn’t do this.

I will also say in advance, though, that if you want the easiest, most reliable way to get HTTPS working on Mac OS X Leopard, the answer is either MAMP or XAMPP, both of which are all-in-one Mac OS X, Apache, PHP, and MySQL packages (aka MAMP). Both are excellent, supremely easy to install, and work without issue (that I know of). To be absolutely clear about my recommendation here, I now personally use either MAMP or XAMPP for all of my Web installs on Mac OS X Leopard and I’m quite capable of installing this stuff from the source code.

If you want a little background on this, part of the problem is that Leopard includes both 32-bit and 64-bit versions of Apache. If you have a Mac Book Pro, then you have a 64-bit Intel processor, meaning Apache is running in 64-bit mode. Which means that everything must be compiled in 64-bit mode, which can be extremely problematic. (This may apply to other Macs; I don’t know off the top of my head which ones are using 64-bit Intel processors and which aren’t.) All that being said, here’s what I did…

Using my Mac Book Pro running Mac OS X Leopard 10.5.6, I started by generating the certificate keys. To do so, I followed the instructions found on Apple’s Web site. Follow those instructions exactly, up to this line:

sudo apachectl stop

You should not execute that line, although it really doesn’t matter (it just stops the Apache Web server). At this point, in the /etc/apache2/ssl.key folder you should have a bunch of files, which are the keys and certificates and other junk created using those instructions.

Next, you’ll need to open /etc/apache2/httpd.conf in a text editor or IDE. In the Terminal, you can start by making a backup copy:

cd /etc/apache2
sudo cp httpd.conf httpd.conf.backup

Then you can open the file using a Terminal text editor like pico (although I prefer vi):

sudo pico httpd.conf

Of course you’ll need to enter the administrator’s password after the first time you use sudo (and after some minutes of inactivity).

To edit the file in a GUI text editor like BBEdit, TextWrangler, or TextMate, you can open the folder in the Finder by choosing Go > Go to Folder and entering /etc/apache2 in the prompt. This will open that folder in a Finder window, then you can drag the httpd.conf file onto the text editor to open it. (There are command line and other ways to open the file in a graphical app, but I’m trying to keep this relatively simple.)

In the httpd.conf file, find the line that says

LoadModule ssl_module libexec/apache2/mod_ssl.so

and make sure it does not have a # at the front of it. If it does, that means the line is commented-out, making that module inactive.

Go a little bit further down and remove the # from in front of:

Include /private/etc/apache2/extra/httpd-ssl.conf

That line includes the SSL configuration file. You can now save httpd.conf (you’ll likely need to enter the admin password at the prompt).

Next, open httpd-ssl.conf, found in the /etc/apache2/extra folder. (By the way, /etc/apache2 and /private/etc/apache2 are two references to the same thing.)

In the httpd-ssl.conf file, you need to edit two lines, indicating the location of the certficate and key. These two lines are a few lines apart.

SSLCertificateFile /private/etc/apache2/ssl.key/server.crt
SSLCertificateKeyFile "/private/etc/apache2/ssl.key/server.key"

If you followed the instructions on Apple’s Web site, then you use exactly those values. If you used different names for the certificate or the key, or stored them in a different directory, you’ll need to change these values accordingly.

That’s it there. Now save httpd-ssl.conf and close it (again, you’ll likely need to enter the admin’s password).

Now you can test how it worked. To do so, go to the Terminal and type:

sudo apachectl configtest

If it says Syntax OK, you’re good to go. If it gives an error, make a note of what it is and search the Web or post a question here.

If you got the Syntax OK message, you just need to restart Apache to make the changes take effect. If Apache is running, you can enter this at the Terminal:

sudo apachectl graceful

If Apache isn’t running, enter

sudo apachectl stop

Or you can use the System Preferences > Sharing pane to start and stop Web Sharing.

Next, open your Web browser and go to https://localhost (note the “S” after http). Depending upon your browser, you’re most likely going to get an error message indicating that it’s not a real, valid, or secure certificate. That’s fine. You just need to tell the browser to trust that certificate. On Firefox 3.0.7, I clicked the link that said Or you can add an exception. Then I clicked Add Exception… Then clicked Get Certificate and Confirm Security Exception. The first two figures show steps 2 and 4. On Safari 3.2.1, I clicked Show Certificate then checked Always trust… and clicked Continue in the next prompt (see the last two figures).

So that’s what worked for me. Hopefully this will work for you, should you decide to go this route.