Extras
Creating and Installing a Certificate on MAMP
Certificates can be used to encrypt any data that is sent between web browsers and servers. This helps ensure that the data remains secure (and cannot be intercepted as it moves between the two).
When developing sites locally (on your own computer), you want to ensure that the environment is as close as possible to that of the web server, and installing a certificate will help mirror web servers that use them.
To obtain a certificate for a website, you go to a Certificate Authority. When working locally, you need to create and install the certificate yourself. Below, there are two options for installing a certificate on MAMP:
- MAMP Pro has built-in tools
- MAMP (free) involves using command line tools to create the certificate, then editing Apache's configuration files so it can use them.
MAMP Pro
When using MAMP, the easiest way to create and install a certificate locally is using the tools built into MAMP Pro. A trial version of MAMP Pro is installed when you download the free version of MAMP.
On the SSL tab, there is a Create a new self-signed certificate button. Click this button, enter your details, and press the Generate button.
Once the certificate files have been generated, you need to press the Save button in the bottom right for MAMP to start using the certificate.
Finally, go to the Ports & User option on the left of the screen (not shown in screenshot) and check the port number that is used for SSL traffic.
This port number will replace the port number that you were using in the URL locally before the certificate was created. Typically the port number is 8890, so your address will become https://localhost:8890/
.
MAMP Free
To create and install a certificate for the regular version of MAMP on a Mac, you can use an open-source tool called OpenSSL, which is run from the command line using Terminal.
You may need to install OpenSSL in order to use it, as it is not installed by default. This can be done using a command line tool called Brew. Brew is a little bit like Composer for macOS. (If you have difficulty following the instructions you can find out more about how to use Terminal here).
Checking If OpenSSL is Installed
Open Terminal and enter the following command:
openssl version
Then press press the enter or return key.
If it says not installed
in the first few lines then you will need to install it, and the easiest way to do this is using Brew (see next step).
Checking If Brew is Installed
Open Terminal and enter the following command:
which brew
Then press press the enter or return key.
If it says brew not found
in the first few lines then you will need to install Brew (installation instructions are on their home page).
Once you have installed Brew, use this command (or formulae) to install Open SSL.
Open Finder and go to your user folder.
Create a folder called ssl
.
If you cannot find your user folder in Finder:
Select the Go menu and select Go to folder.
Enter tilde character ~
and press the Go button.
Next, you need to create two text files in your code editor and save them into the ssl
folder you just made.
The first file is called v3.ext
and it does not require any changes.
v3.ext
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
The second file is called server.csr.cnf
and you should update the information after the line that says [dn]
with your own information.
The letters dn
stand for distinguished name and this data is used to uniquely identify who the certificate is for. The table below describes the attributes in that file that you need to update.
server.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = AU
ST = New South Wales
L = Sydney
O = Company name
OU = Web Development
CN = localhost
emailAddress=you@example.com
Attribute | Purpose |
---|---|
C | Two letter country code as specified by ISO-3166 https://www.iso.org/obp/ui/#search/code/ |
ST | State or province name |
L | Locality, often a city or town |
O | Organization, which is the company name |
OU | Organizational unit, which is your department name |
CN | CommonName, the domain or server name |
emailAddress | Your email address |
Create a Private Key
Open Terminal, and use the following command to navigate to the SSL
folder, which you created to hold the two files above.
cd ~/ssl
Then press press the enter or return key.
Next, enter the following command to create a private key.
openssl genrsa -des3 -out ~/ssl/rootCA.key 2048
Then press press the enter or return key
Terminal will ask you to enter a pass phrase (a password)
Enter one and press the enter or return key
Remember the pass phrase as it is needed in future steps.
Terminal will not show anything when you enter a pass phrase.
Enter the pass phrase again to confirm it.
If you look in Finder, it will have created a file called rootCA.key
.
Create a Root Certificate
Next, enter the following comand to create a root certificate.
openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem
Then press press the enter or return key.
Terminal will ask you for the pass phrase used in the previous step.
Next Terminal will ask for information that you entered into the server.csr.cnf
file that you created earlier.
Answer each question then press the enter or return key.
Then look in Finder and you will see a new file called rootCA.pem
.
Create a Private Server Key
In Terminal, enter the following command:
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <(cat server.csr.cnf)
Then press press the enter or return key.
If you look in Finder, this creates a file called server.key
.
CREATE SERVER CERTIFICATE
In Terminal, enter the following command:
openssl x509 -req -in server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out server.crt -days 1024 -sha256 -extfile v3.ext
Then press press the enter or return key.
If you look in Finder, this creates a file called server.crt
.
VERIFY THE CERTIFICATE
In Terminal, enter the following command:
openssl x509 -text -in server.crt -noout
Then press press the enter or return key.
This will verify that the certificates have been created.
TELL APACHE TO USE THE SSL FILES
Now you need to tell the Apache web server to use these files.
Open up the following two files in your code editor:
/Applications/MAMP/conf/apache/httpd.conf
/Applications/MAMP/conf/apache/extra/httpd-ssl.conf
In the httpd.conf
file, search for httpd-ssl.conf
.
If it has a #
in front of it, remove it (because the #
symbol indicates that the line is a comment).
httpd.conf
# Secure (SSL/TLS) connections
Include /Applications/MAMP/conf/apache/extra/httpd-ssl.conf
Then, in the httpd-ssl.conf
file, search for <VirtualHost _default_:443>
.
Replace it with <VirtualHost *:443>
.
httpd-ssl.conf
##
## SSL Virtual Host Context
##
<VirtualHost *:443>
Under this find:
httpd-ssl.conf
##
DocumentRoot "/Applications/MAMP/Library/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/Applications/MAMP/Library/logs/error_log"
TransferLog "/Applications/MAMP/Library/logs/access_log"
And replace it with:
httpd-ssl.conf
DocumentRoot "/Applications/MAMP/htdocs"
ServerName localhost:443
ServerAdmin you@example.com
ErrorLog "/Applications/MAMP/logs/error_log"
TransferLog "/Applications/MAMP/logs/access_log"
Now that Apache knows where to find the certificate file, you can restart Apache and use https
to request your local web pages.
If you were using the port number in the address http://localhost:8888
you will need to use a new port number. Typically this is https://localhost:443
or https://localhost:8890
.