Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

How to create a secure (HTTPS) OS X webserver UNIX
In the interest of better data security when sharing data from my home computer, I thought it would be a good idea to enable a secure HTTPS connection from my visitors. I looked for an easy-to-understand walkthrough which could get me up and running in a matter of minutes. Not finding one, I decided to create my own.

Requirements for this walk-thru:
  • Basic familiarity with Terminal and use of sudo
  • BSD subsystem for openssl support
  • Dynamic DNS hostname (I'm using a fictitious sslthis.dyndns.org for tutorial purposes; substitute as needed)
The basic steps are:
  1. Creating a Certificate Authority
  2. Generating a Web Server Private Key
  3. Generating a Web Server Certificate Request
  4. Signing the Certificate Request
  5. Creating a .conf File for Apache
Disclaimer: These are the basic steps necessary to get up and running; additional work should be done to check file/directory permissions on your certificates, etc. I have not gone through and fine-combed my steps for locking things down, and in no way should this be construed to be a final solution for creating a completely secure webserver. Read the rest of the hint for the detailed walkthrough...

STEP 1. CREATING A CERTIFICATE AUTHORITY

Open up Terminal and enter the following commands (don't type the $, that's the prompt):
$ cd ~/Documents
This changes to your Documents folder in your Home directory; next, enter:
$ mkdir certs
This create a new directory called certs; you can name to whatever makes sense to you, although non-spaced names are best.
$ /System/Library/OpenSSL/misc/CA.pl -newca
This runs the CA.pl script that is part of the system to create a new Certificate Authority in the certs directory. You will get the following output to the Terminal:
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++.................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: (enter a new secure password)
Verifying - Enter PEM pass phrase: (reenter the same password)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is 
called a Distinguished Name or a DN. There are quite a few fields but 
you can leave some blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
As prompted, enter the information prompted for; the more meaningful you make it, the easier it is for people visiting your site to know that they aren't getting a bad connection:
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: sslthis.dyndns.org
Email Address []
Once this step is completed, you will have a series of folders inside ~/Documents/certs that make up the necessary structure for a functioning Certificate Authority. Files/directories created so far are:
~/Documents/certs
~/Documents/certs/demoCA
~/Documents/certs/demoCA/cacert.pem
~/Documents/certs/demoCA/certs
~/Documents/certs/demoCA/crl
~/Documents/certs/demoCA/index.txt
~/Documents/certs/demoCA/newcerts
~/Documents/certs/demoCA/private
~/Documents/certs/demoCA/serial
STEP 2. GENERATE A PRIVATE KEY FOR THE WEBSERVER

The next step will be to generate a private key for your webserver.In the ~/Documents/certs directory, enter the following in Terminal:
$ openssl genrsa -des3 -out webserver.key 1024
This will generate an encrypted, private key called webserver.key; use a meaningful name, no spaces. The output will be:
Generating RSA private key, 1024 bit long modulus
....................................++++++
.....................++++++
e is 65537 (0x10001)
Enter pass phrase for webserver.key: (enter a new secure password)
Verifying - Enter pass phrase for webserver.key: (reenter the same password)
Next, you will have generate a non-password protected copy of the key for Apache so that it can start up without errors.
$ openssl rsa -in webserver.key -out webserver.nopass.key
This will generate a non-password protected copy of the private key you just generated.
Enter pass phrase for webserver.key: (enter the secure password created in step 2)
writing RSA key
Files generated at this point:
~/Documents/certs/webserver.key
~/Documents/certs/webserver.nopass.key
3. GENERATE A CERTIFICATE REQUEST

The next step will be to generate a certificate request for your webserver based on the private key generated in step two, in a format that can be signed by the Certificate Authority created in step one. In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
$ openssl req -config /System/Library/OpenSSL/openssl.cnf \
 -new -key webserver.key -out newreq.pem -days 3650
This will tell the system to generate a new certificate request newreq.pem with the default openssl.conf configuration file and using webserver.key for a validity period of 10 years.
Enter pass phrase for webserver.key: (enter the secure password created in step 2)
You are about to be asked to enter information that will be incorporated
into your certificate request. What you are about to enter is what is 
called a Distinguished Name or a DN. There are quite a few fields but 
you can leave some blank. For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:sslthis.dyndns.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: leave blank
An optional company name []: leave blank
Files generated at this point
~/Documents/certs/newreq.pem
STEP 4. SIGNING THE CERTIFICATE REQUEST

The next step will be to sign the certificate request newreq.pem with the Certificate Authority created in step one. In the ~/Documents/certs directory, enter the following in Terminal (Return key after each entry):
$ /System/Library/OpenSSL/misc/CA.pl -signreq
This will tell the system to sign the 'newreq.pem' file created in step three.
Using configuration from /System/Library/OpenSSL/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: (enter the secure password created in step 1)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 29 04:00:05 2004 GMT
Not After : Nov 27 04:00:05 2014 GMT
Subject:
countryName               = as entered
stateOrProvinceName       = as entered
localityName              = as entered
organizationName          = as entered
commonName                = sslthis.dyndns.org
emailAddress              = as entered
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D8:C4:76:37:6F:8C:FA:8E:62:95:2C:A3:2E:E9:CC:5C:24:E2:5B:DB
X509v3 Authority Key Identifier:
     
keyid:DB:12:B4:DB:77:03:D1:64:DA:87:8A:61:79:AA:38:17:E4:7E:6B:ED
DirName:
emailAddress=
serial:00

Certificate is to be certified until Nov 27 04:00:05 2014 GMT (3650  
days)
Sign the certificate? [y/n]: (type y to confirm)

1 out of 1 certificate requests certified, commit? [y/n] (type y to confirm)
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Files generated at this point:
~/Documents/certs/newcert.pem
After this is done, I moved all the files created (webserver.key, webserver.nopass.key, newreq.pem, newcert.pem) into a new subdirectory, sslthis.dyndns.org, for keeping things nice and neat.
$ ~/Documents/certs/sslthis.dyndns.org
STEP 5. BASIC SSL CONFIGURATION FILE

The last step will be to create a configuration file for Apache ssl.conf in the /etc/httpd/users directory. In that directory, enter the following in Terminal (Return key after each entry):
$ sudo vi ssl.conf
Use any Terminal editor you want, if not vi and enter following (make corrections for the file paths as needed):
<IfModule mod_ssl.c>

Listen 80
Listen 443
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>

SSLEngine on
ServerName sslthis.dyndns.org
ServerAdmin youremailaddress
ErrorLog /var/log/httpd/error_log

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /Users/YOURNAME/Documents/certs/sslthis.dyndns.org/newcert.pem
SSLCertificateKeyFile /Users/YOURNAME/Documents/certs/sslthis.dyndns.org/webserver.nopass.key
SSLCACertificateFile /Users/YOURNAME/Documents/certs/demoCA/cacert.pem
SSLCARevocationPath /Users/YOURNAME/Documents/certs/demoCA/crl
	
</VirtualHost>

</IfModule>
You will also have to edit /etc/httpd/httpd.conf (don't forget to make a backup) by typing:
$ sudo vi /etc/httpd/httpd.conf
and uncommenting the following lines:
LoadModule ssl_module         libexec/httpd/libssl.so
AddModule mod_ssl.c
before restarting the webserver. Once this is done, stop and start your webserver (from Terminal or System Preferences) and you should be good to go. Don't forget to enable port forwarding for 443 TCP through your router and your OS X firewall (if enabled) for incoming connections.
    •    
  • Currently 3.75 / 5
  You rated: 5 / 5 (8 votes cast)
 
[139,353 views]  

How to create a secure (HTTPS) OS X webserver | 34 comments | Create New Account
Click here to return to the 'How to create a secure (HTTPS) OS X webserver' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Learning every day
Authored by: TheSpoonman on Dec 01, '04 11:26:24AM

See, when my friends said to me, "Why would you buy a Mac? You're already seriously guru-istic in both Windows AND Linux! Why bother?", I'd answer: "'Cause real geeks never stop learnin'!"

This is an excellently written article, and looks so much more complete and thorough than the Apache-SSL Howtos I've seen for Linux. They're so poorly written that I gave up trying to get SSL working on Apache fairly quickly. It wasn't something I REALLY needed, just something to play with. With your article, I saw three points where I made mistakes immediately.

Nicely done and thanks!

---
Answering the age-old question: which is more painful, going to work or gouging your eye out with a spoon?
www.workorspoon.com



[ Reply to This | # ]
Learning every day
Authored by: legacyb4 on Dec 01, '04 12:12:10PM

Thanks.

The biggest problem I had found with the Linux-based tutorials was that none of them were written with the OS X file hierarchy in mind. Sure, you can delve into the dark hidden corners of the /folder structure, but I wanted to put things in context with /Users/username as much as possible so that a year from now, you can go back and easily figure out what was done.

Out of curiosity, what points did you get wrong?

Cheers.



[ Reply to This | # ]
Learning every day
Authored by: TheSpoonman on Dec 01, '04 03:14:05PM

Um, offhand, the biggest problems were the creation of a cert authority and/or self-signing the cert. Also, the removal of the password from the cert. The howtos made this look a ton more complex than you did. I didn't feel like bothering with that much work for a minor pet project.

I'm going to use this tonight to see if I can get it working on my Linux box. I still use Apache, but primarily as a reverse-proxy to my internal network. I'm using SSL_Proxy to encrypt packets, but would prefer to just use Apache and be done with it. SSL_Proxy was setup in 5 minutes (including download and compile time), this makes it look like Apache should be as quick!

---
Answering the age-old question: which is more painful, going to work or gouging your eye out with a spoon?
www.workorspoon.com



[ Reply to This | # ]
Learning every day
Authored by: neill on Mar 26, '05 07:11:22PM

I tried to follow this hint and once I was done and I restarted apache via sudo apachectl graceful I got the following error:

configuration broken, ignoring restart
/usr/sbin/apachectl graceful: (run 'apachectl configtest' for details)

Running configtest gives the following:

Processing config directory: /private/etc/httpd/users/*.conf
Processing config file: /private/etc/httpd/users/laubennd.conf
Processing config file: /private/etc/httpd/users/neil.conf
Processing config file: /private/etc/httpd/users/neill2.conf
Processing config file: /private/etc/httpd/users/ssl.conf
Syntax error on line 15 of /private/etc/httpd/users/ssl.conf:
SSLCipherSuite takes one argument, Colon-delimited list of permitted SSL Ciphers (`XXX:...:XXX' - see manual)

which tells me t hat the SSLCipherSuite is incorrect . . . I've double checked that I copied/pasted it exactly as in the hint.

Any ideas why it isn't working right?



[ Reply to This | # ]
Learning every day
Authored by: artntek on Dec 01, '04 12:24:05PM
Good hint - nice & clear. In case anyone needs another set of insructions, the one I used when setting up ssl was this one :

http://developer.apple.com/internet/serverside/modssl.html

which was also pretty clear and easy to follow (although providing this alternative reminds me of the old adage, about someone who has 2 clocks never knowing the exact time... :-)

cheers

m

[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: momerath on Dec 01, '04 12:30:45PM

Don't most browsers choke on self-signed certificates?



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: jecwobble on Dec 01, '04 01:44:26PM

I can only speak for Safari on OS X and Internet Explorer on XP: they don't exactly "choke" as much as "hiccough". On a per-session basis, I get prompted with a warning message about the certs, but once I accept this, I can load pages just fine.

Since I am pretty much the only surfer of my pages (I have mine secured with mod-auth, too), I don't mind the minor inconvenience. If others were surfing, I might go ahead and get a real domain name and use one of the cert authorities.

On a side note- I would prefer to use mod-digest instead, but IE really chokes on some of my PHP pages then. Since I am using SSL, am I correct that that covers my mod-auth also? In other words, eventhough the password is sent in the clear, it's sent in the clear THROUGH SLL, so it's encrypted, right?



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: _merlin on Dec 01, '04 06:34:03PM

Yes, it is sent over the encrypted link, so it isn't clear-text. Digest authentication is flawed, anyway, so you really need SSL even when you use it.



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: TheSpoonman on Dec 01, '04 03:08:50PM

No. Most offer you the option of importing the cert into your personal store. With IE, simply choose "View Certificate" when the warning pops up, there's an "Install Certificate" option within there. For Mozilla, it'll ask if you always want to accept that certificate. IIRC, Safari works similarly. The only time you should ever have a problem again is when the cert changes, which should only be when you change it....or someone else... ;-)

---
Answering the age-old question: which is more painful, going to work or gouging your eye out with a spoon?
www.workorspoon.com



[ Reply to This | # ]
Nicely done!
Authored by: mholve on Dec 01, '04 12:36:56PM

Indeed, very nicely done.

---
--
Everything Mac - http://everythingmac.org



[ Reply to This | # ]
Great Hint
Authored by: JadisOne on Dec 02, '04 03:06:54AM

Since I work out of a home office a lot, I often put files for clients to access from the network at home. This added bit of security gives those skittish clients a little extra peace of mind.

Nice job!



[ Reply to This | # ]
Begging for a GUI tool
Authored by: Lectrick on Dec 03, '04 10:58:55AM

This hint is great. It's just begging for a nice user-friendly GUI tool to wrap up the functionality, though! anyone?

---
In /dev/null, no one can hear you scream



[ Reply to This | # ]
Begging for a GUI tool
Authored by: krunk on Dec 03, '04 11:00:49PM

I was planning on writing one over break in cocoa.



[ Reply to This | # ]
Begging for a GUI tool
Authored by: MartySells on Dec 03, '04 11:36:30PM
Take a look at SimpleCA at http://users.skynet.be/ballet/joris/SimpleCA/. which uses Tcl/Tk and runs on Linux and Windows. You should be able to get it going on OSX if you install Tcl/Tk.

Being able to create client certificates is very handy and should be part of any similar app for OSX.

-m

[ Reply to This | # ]
A better SSLCipherSuite
Authored by: MartySells on Dec 03, '04 11:21:16PM
The original hint had:
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
I would suggest the following instead:
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL     
This setting will disable SSL version 2 (which has seciruty problems) as well as weak ciphers (LOW, EXP).

Having +eNULL is particulary discouraged since NULL ciphers are ciphers offering no encryption! The setting in the original hint doesn't seem to enable NULL ciphers on a server I tested it on but looks dangerous to me.

Great hint BTW.

-m

[ Reply to This | # ]
A better SSLCipherSuite
Authored by: legacyb4 on Dec 05, '04 01:56:31AM

Thanks for the tweak on the CipherSuite; I was pulling from a .conf file on a Linux box that I have access to and didn't fine-comb through all the details.

Again, the initial goal of writing this hint was to help folks get their teeth around on how to get SSL up and running on their own OS X boxes; fine tuning for performance, security, or other customized tweaks is left for the braver souls to learn and share!



[ Reply to This | # ]
Good post - som add. notes and links
Authored by: michaelmazzen on Dec 30, '04 03:29:54PM

Hi
Great info on SSL - i've also implemented the "better" cipher,

Also I think that the info in this link: http://developer.apple.com/internet/serverside/modssl.html could be of interest to all.

Quote from above article:

"You'll be asked for some information when you start this. Most of it is pretty self explanatory, but one item, in particular, is not. Here's what you'll be asked for:

Country Name (2 letter code) [AU]: (enter your country code here)
State or Province Name (full name) [Some-State]: (Enter your state here)
Locality Name (eg, city) []: (enter your city here)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (enter something here)
Organizational Unit Name (eg, section) []: (enter something here)
Common Name (eg, YOUR name) []: (this is the important one)
Email Address []: (your e-mail address)

The entry for "Common Name" is the one that seems like it should be one thing, but is, in fact, another. For this entry, you want to enter your "Server Name" as it appears in your httpd.conf (which you'll be modifying soon). As this is just a development environment, you can enter 127.0.0.1, which is the default IP for "localhost". Now, keep in mind that using 127.0.0.1 is not the same as using "localhost". The strings either match, or they don't — Unix is like that."
...
...
"First, you need to comment out the "Port" directive by placing a "#" in front of the line.

Port 80 should be changed to #Port 80. You will need to add the following just below where the Port directive was:

## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##


<IfModule mod_ssl.c>
Listen 443
Listen 80
</IfModule>

Adding these lines tells the server to be aware of traffic on port 80 (the standard HTTP port) and port 443 (the HTTPS port). This allows your SSL aware Apache installation to serve non-secure documents on port 80, while it is serving secure documents on 443."

- Might be trivial to some but crucial none the less :-)
- Michael



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: goatbar on Dec 05, '04 10:33:19AM

Thanks for the article! One question... anyone know the trick to get this to work for apache2 from fink? I did /sw/sbin/apachectl start and apache starts find, but nothing is listening on the https port. Tried nmap too and nothin is there. Did have to take out the AddModule since that is gone in apache2, but what else do I have to do to enable mod ssl?



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: jubalkessler on Dec 11, '04 08:41:48PM

Nice how-to .. I'd elide the cert generation a bit, and just use the single command-line invocation below:

openssl req -days 720 -new -keyout <HOSTNAME>.key -out $<HOSTNAME>.crt -nodes -x509

(where you replace the string "<HOSTNAME>" with the name of the web server, e.g. the name that's in the https:// url.)

The -days string will make it so the cert doesn't expire for 2 years, which I find reasonable for a personal https:// webserver.

The command will produce two files:

your.host.name.crt
your.host.name.key

Place those in a safe location, make sure the key is readable only by root, and reference the full path in Apache .. you're set.



[ Reply to This | # ]
Help: How to create a secure (HTTPS) OS X webserver
Authored by: jweinberger on Dec 29, '04 02:39:14PM

Thanks!! This is a GREAT hint.
Of course, I've done this (and similar suggestions from other sources, and I still can't get my Mac to serve https.

I am trying to set up a secure (https) server on the same domain as my non-secure server. In otehr words: I want http://www.domain.com to be a regular http server and https://www.domain.com to be a secure https server.

I have tried this (assume the missing brackets, please):

VirtualHost *:80
     DocumentRoot /Library/WebServer/Documents
     ErrorLog /private/var/log/httpd/error_log
/VirtualHost

VirtualHost *:443
    DocumentRoot /Library/WebServer/Secure
    ErrorLog /private/var/log/httpd/error_log2
    SSLEngine on    
/VirtualHost

in my httpd.conf file (with the SSLCertificateFile and SSLCertificateKey directives coming earlier in the file (I tried to include them in the virtualhost container, but Apache said no...and would not start)

I also tried the ssl.conf file suggested here, and I tried adding the directives in the ssl.conf file to the httpd.conf file.

Apache started with no hiccups each time.

The mod_ssl is loaded and added

But when I try to access www.domain.com which points to my Mac (10.3.7 client, NOT server)I do fine with the http:// connection (on port 80), but when I try an https:// connection (even if I specify :443) it tells me it cannot find the server.

Ports 80 and 443 are open (personal web sharing is on and I manually opened 443) in Sharing Preferences, and I have routed them to my Mac through my Airport Extreme Base Station's port mapping.

Any suggestions would me very much appreciated!

Thanks!!!



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: davidw on Dec 29, '04 07:06:26PM

I have three questions:
1) Everything seemed to work untill I noticed that the result of Step 4 showed that the certificate was ONLY valid for 360 days (1 year), and not as entered in step 3; 3650 days (10 years). I have tried several times and I keep getting the same result. Anybody have a clue and advise?

2) When I get this all installed, will ALL pages served by the Mac Os X Apache server be run as SSL (https://blabla)?

3) Can people choose to see the same pages as normal non-ssl encrypted (http://blabla), depending on if they use the "s" after http in the url?

Your guide seems pretty simple compared to the documentation I have seen elseware for ssl implementation in Apache/mac osx. Looking forward to seeing working!

regards,
Davidw



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: trixiemay on Mar 27, '05 05:55:39PM

Notes from newbie:

was trying to do above. all worked fine when i did local access via 127.0.0.1 but when i tried using external address it didn't work.

i'm assuming you have to manually add port 443 to sharing firewall (in addition to 80 & 427).

when i tried to add this via the SystemPreferences GUI, it wouldn't allow me to edit so i had to hack the Library/Preferences/...firewall.plist file manually.

anyone know why? anyways, hope this may be helpful to the next person.



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: AnotherMarkj1 on Mar 27, '05 09:58:47PM

You should be able to add new ports to the firewall configuration in System Preferences by going to Sharing and pick the Firewall tab there. There's a New button there -- this produces a list of protocols, but you can select Other and enter a range of ports.



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: marklark on Dec 04, '06 09:54:10AM

Checking/enabling the "Personal Web Sharing" box in the "Sharing" preference panel covers ports 80, 427, and 443 already -- at least in Mac OS X 10.4.8



[ Reply to This | # ]
Can people choose to see the same pages as normal non-ssl encrypted (http://blabla) ...
Authored by: Uncle Ward on Jun 14, '05 05:02:19PM

People can try to access your secure site with http://your site.com; however, you can keep them out with a little simple PHP code at the top of your secure site web pages:

$port=$_SERVER["SERVER_PORT"];
if($port<>"443") :
// insecure site code goes here
exit();
endif ;



[ Reply to This | # ]
365 days problem
Authored by: brian163 on Nov 25, '05 10:26:03PM

I had a similar problem and found at least a workaround if not the specific cause. Prior to this step, edit the /System/Library/OpenSSL/openssl.cnf file and change:
default_days = 365
to
default_days = 3650

Then the cert will reflect 10 years. I'm guessing the config file options take precendent over command line flags.



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: knud_steven on Jul 04, '09 08:36:16PM
There is another reply regarding the expiry date that suggests changing the default_days in the OpenSSL config file; that can't hurt, but didn't do it for me. I had to edit sign.sh from the mod_ssl package and change default_days there as well. Using sign.sh is part of the instructions from http://developer.apple.com/internet/serverside/modssl.html




[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: tofino on Aug 25, '05 02:03:48PM

Excellent instructions, but things break down at the signing stage. I received:

Using configuration from /System/Library/OpenSSL/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
3627:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen('./demoCA/private/cakey.pem','r')
3627:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load CA private key
Signed certificate is in newcert.pem

I retraced my steps - What went wrong?

Cheers



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: legacyb4 on Aug 27, '05 03:10:10PM
Revisited the this hint to set things up for a secure webserver in 10.4 (Tiger); read through the comments to get some of the updated comments made by users:


SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL

amongst others but it's nice to see that it still works!

[ Reply to This | # ]

How to create a secure (HTTPS) OS X webserver
Authored by: lgxxl on Sep 04, '06 01:40:22AM
Sorry, I closely followed the instructions on a Tiger 10.4 xserve (my fault!).

Should have used the Apple certified document first place:
http://developer.apple.com/internet/serverside/modssl.html

thanks anyway.

[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: philip_lamb on Nov 28, '06 06:25:55PM
In the final section, the lines:

SSLCACertificateFile /Users/YOURNAME/Documents/certs/demoCA/cacert.pem
SSLCARevocationPath /Users/YOURNAME/Documents/certs/demoCA/crl
aren't necessary unless you're also doing client-certification (where clients are also issued with certificates to allow the web server to verify client identities).

[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: Pmac on Dec 07, '07 12:28:30PM

I used this guide very successfully on Tiger. Thanks for the article.

Unfortunately, Leopard uses Apache 2, which seems to operate differently as SSL serving no longer works as before.

Is there any chance of an update to bring us all up to scratch?

Thanks, again!



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: contactm on Dec 04, '11 04:19:52PM

Thank you for the post! Very useful.

For Mac OS 10.5.8, please check this post for additional information:
http://hints.macworld.com/article.php?story=20080628074917113

and please note that "cacert.pem" is in the "demoCA" folder.



[ Reply to This | # ]
How to create a secure (HTTPS) OS X webserver
Authored by: chaseholden on Jan 29, '12 02:08:09AM
BTW: here's where to do this with Snow Leopard and Lion OS 10.6 10.7+ , although this is for creating self signed certificates only, not as your own CA (certificate authority):

Configure SSL on Lion's Apache http://apple.stackexchange.com/questions/25434/configuring-ssl-with-apache-under-lion

...otherwise, the above instructions generate the following error on Lion's apache:

bash-3.2# /System/Library/OpenSSL/misc/CA.pl -signreq Using configuration from /System/Library/OpenSSL/openssl.cnf

Error opening CA private key ./demoCA/private/cakey.pem 16021:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:356:fopen('./demoCA/private/cakey.pem','r') 16021:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:358: unable to load CA private key Signed certificate is in newcert.pem


(the signed certificate it claims that it makes after all of those errors is, in fact, not valid nor legitimate. it has no functionality and is neither signed nor certified.
---
Merchant Service Group, Inc.


[ Reply to This | # ]