Extras

Creating and Installing a Certificate on MAMP

(For XAMPP click here)

Certificates can be used to encrypt any data that is sent between web browsers and servers. This helps ensure that the data remains secure (and cannot be intercepted as it moves between the two).

When developing sites locally (on your own computer), you want to ensure that the environment is as close as possible to that of the web server, and installing a certificate will help mirror web servers that use them.

To obtain a certificate for a website, you go to a Certificate Authority. When working locally, you need to create and install the certificate yourself. Below, there are two options for installing a certificate on MAMP:

  • MAMP Pro has built-in tools
  • MAMP (free) involves using command line tools to create the certificate, then editing Apache's configuration files so it can use them.

MAMP Pro

When using MAMP, the easiest way to create and install a certificate locally is using the tools built into MAMP Pro. A trial version of MAMP Pro is installed when you download the free version of MAMP.

On the SSL tab, there is a Create a new self-signed certificate button. Click this button, enter your details, and press the Generate button.

Once the certificate files have been generated, you need to press the Save button in the bottom right for MAMP to start using the certificate.

Finally, go to the Ports & User option on the left of the screen (not shown in screenshot) and check the port number that is used for SSL traffic.

This port number will replace the port number that you were using in the URL locally before the certificate was created. Typically the port number is 8890, so your address will become https://localhost:8890/.

Screen shot of MAMP Pro showing the options to create an SSL certificate and update the path to where the certificate is stored.

MAMP Free

To create and install a certificate for the regular version of MAMP on a Mac, you can use an open-source tool called OpenSSL, which is run from the command line using Terminal.

You may need to install OpenSSL in order to use it, as it is not installed by default. This can be done using a command line tool called Brew. Brew is a little bit like Composer for macOS. (If you have difficulty following the instructions you can find out more about how to use Terminal here).

Checking If OpenSSL is Installed

Open Terminal and enter the following command:

openssl version

Then press press the enter or return key.

If it says not installed in the first few lines then you will need to install it, and the easiest way to do this is using Brew (see next step).

Checking If Brew is Installed

Open Terminal and enter the following command:

which brew

Then press press the enter or return key.

If it says brew not found in the first few lines then you will need to install Brew (installation instructions are on their home page).

Once you have installed Brew, use this command (or formulae) to install Open SSL.


Open Finder and go to your user folder.
Create a folder called ssl.

If you cannot find your user folder in Finder:
Select the Go menu and select Go to folder.
Enter tilde character ~ and press the Go button.


Next, you need to create two text files in your code editor and save them into the ssl folder you just made.

The first file is called v3.ext and it does not require any changes.

v3.ext
authorityKeyIdentifier = keyid, issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost

The second file is called server.csr.cnf and you should update the information after the line that says [dn] with your own information.

The letters dn stand for distinguished name and this data is used to uniquely identify who the certificate is for. The table below describes the attributes in that file that you need to update.

server.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = AU
ST = New South Wales
L = Sydney
O = Company name
OU = Web Development
CN = localhost
emailAddress=you@example.com
AttributePurpose
CTwo letter country code as specified by ISO-3166 https://www.iso.org/obp/ui/#search/code/
STState or province name
LLocality, often a city or town
OOrganization, which is the company name
OUOrganizational unit, which is your department name
CNCommonName, the domain or server name
emailAddressYour email address


Create a Private Key

Open Terminal, and use the following command to navigate to the SSL folder, which you created to hold the two files above.

cd ~/ssl

Then press press the enter or return key.

Next, enter the following command to create a private key.

openssl genrsa -des3 -out ~/ssl/rootCA.key 2048

Then press press the enter or return key
Terminal will ask you to enter a pass phrase (a password)
Enter one and press the enter or return key

Remember the pass phrase as it is needed in future steps.
Terminal will not show anything when you enter a pass phrase.
Enter the pass phrase again to confirm it.

If you look in Finder, it will have created a file called rootCA.key.


Create a Root Certificate

Next, enter the following comand to create a root certificate.

openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem

Then press press the enter or return key.
Terminal will ask you for the pass phrase used in the previous step.

Next Terminal will ask for information that you entered into the server.csr.cnf file that you created earlier.

Answer each question then press the enter or return key.

Then look in Finder and you will see a new file called server.crt.


Create a Private Server Key

In Terminal, enter the following command:

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <(cat server.csr.cnf)

Then press press the enter or return key.

If you look in Finder, this creates a file called server.key.


CREATE SERVER CERTIFICATE

In Terminal, enter the following command:

openssl x509 -req -in server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out server.crt -days 1024 -sha256 -extfile v3.ext

Then press press the enter or return key.

If you look in Finder, this creates a file called server.crt.


VERIFY THE CERTIFICATE

In Terminal, enter the following command:

openssl x509 -text -in server.crt -noout

Then press press the enter or return key.

This will verify that the certificates have been created.


TELL APACHE TO USE THE SSL FILES

Now you need to tell the Apache web server to use these files.
Open up the following two files in your code editor:

  • /Applications/MAMP/conf/apache/httpd.conf
  • /Applications/MAMP/conf/apache/extra/httpd-ssl.conf

In the httpd.conf file, search for httpd-ssl.conf.
If it has a # in front of it, remove it (because the # symbol indicates that the line is a comment).

httpd.conf
# Secure (SSL/TLS) connections
Include /Applications/MAMP/conf/apache/extra/httpd-ssl.conf


Then, in the httpd-ssl.conf file, search for <VirtualHost _default_:443>.
Replace it with <VirtualHost *:443>.

httpd-ssl.conf
##
## SSL Virtual Host Context
##

<VirtualHost *:443>

Under this find:

httpd-ssl.conf
##
DocumentRoot "/Applications/MAMP/Library/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/Applications/MAMP/Library/logs/error_log"
TransferLog "/Applications/MAMP/Library/logs/access_log"

And replace it with:

httpd-ssl.conf
DocumentRoot "/Applications/MAMP/htdocs"
ServerName localhost:443
ServerAdmin you@example.com
ErrorLog "/Applications/MAMP/logs/error_log"
TransferLog "/Applications/MAMP/logs/access_log"

Now that Apache knows where to find the certificate file, you can restart Apache and use https to request your local web pages.

If you were using the port number in the address http://localhost:8888 you will need to use a new port number. Typically this is https://localhost:443 or https://localhost:8890.