macOS 10.12 Sierra Apache Setup: SSL

Part 3: macOS 10.12 Sierra Web Development Environment

This is an updated version of our prior OS X development series. The newly released macOS 10.12 Sierra requires significant changes compared to prior releases, necessitating a thorough revamp in the process. The main change is why now use Homebrew’s Apache, rather than the built-in version, but it should continue to work on prior OS X versions.

In Part 1 of this 2-part series, we covered configuring Apache on macOS Sierra 10.12 to work better with your local user account, as well as the installation process for installing multiple versions of PHP. In Part 2, we covered installing MySQLVirtual HostsAPC caching, YAML, and Xdebug.

In this Part 3, we will cover getting your site setup with SSL support for this setup.

This guide is intended for experienced web developers. If you are a beginner developer, you will be better served using MAMP or MAMP Pro.


It is often important to be able to test your local site setup under SSL (e.g. There are a few steps that are needed to accomplish this with your Homebrew-based Apache setup. The first step is to make some modifications to your httpd.conf:

$ open -e /usr/local/etc/apache2/2.4/httpd.conf

In this file you should uncomment both the socache_shmcb_modulessl_module, and also the include for the httpd-ssl.conf by removing the leading # symbol on those lines:

LoadModule socache_shmcb_module libexec/
LoadModule ssl_module libexec/
Include /usr/local/etc/apache2/2.4/extra/httpd-ssl.conf

After saving this file, you should then open up your /usr/local/etc/apache2/2.4/extra/httpd-vhosts.confto add appropriate SSL based virtual hosts.

$ open -e /usr/local/etc/apache2/2.4/extra/httpd-vhosts.conf

Here you can create a VirtualHost entry for each virtual host that you wish to provide SSL support for.

<VirtualHost *:443>
    DocumentRoot "/Users/your_user/Sites"
    ServerName localhost
    SSLEngine on
    SSLCertificateFile "/usr/local/etc/apache2/2.4/server.crt"
    SSLCertificateKeyFile "/usr/local/etc/apache2/2.4/server.key"

In this example we have created the VirtualHost for localhost, but it could be any of your existing or even a new VirtualHost. The important parts are the the 443 port, along with SSLEngine on and the SSLCertificateFile and SSLCertificateKeyFile entries that point to the certificate we now need to generate.


To get this all to work with Apache, we need to create a self-signed certificate that we have already referenced in the VirtualHost definition.

The following commands will often prompt you for information regarding the certificates. You should fill these in with sensible values, however, the Common Name should match the ServerName entry in your httpd-vhosts.conf file you just added.

First generate a key and certificate:

$ cd /usr/local/etc/apache2/2.4
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

Then all you need to do now is double check your Apache configuration syntax:

$ sudo apachectl configtest

If all goes well, restart Apache:

$ sudo apachectl -k restart

You can tail -f /usr/local/var/log/apache2/error_log, the Apache error log while you restart to see if you have any errors.

Now simply point your browser at https://localhost. If you are prompted about a self-signed certificate, in Chrome you can hit the Advanced option on that page and proceed while in Firefox you need to expand the I Understand the Risks and add as exception. This is due to the fact that the self-signed certificates are not signed by any authority and for this reasons the browsers add warnings about it. Although, since you are the one who created the certificate, you understand it’s safe to accept it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s