SSL & HTTPS on Mac OS X 10.6

First posted on the 14th March, 2011 – IT
Last modified on the 25th August, 2011, at 6:09 pm

As SSL encryption was needed for access to the LinkedIn API and Mac OS X 10.6 does not ship with SSL enabled, in order to use the LinkedIn API SSL certificates need to be created and SSL and HTTPS enabled.

To generate and self-sign the certificates the following processes was followed:

  • Mac OS X Hints: How to create a secure (HTTPS) OS X webserver
  • An alternative description is also given here:

  • Apple: Using mod_ssl on Mac OS X
  • As Mac OS X 10.6 uses apache2 certificates were created and installed using the following:

    Create and goto working directory:
    mkdir ~/ssl; cd ~/ssl

    Create Certificate Authority:
    /System/Library/OpenSSL/misc/CA.sh -newca

    Generate an encrypted, private key:
    openssl genrsa -des3 -out webserver.key 1024

    Generate a non-password protected copy of the encrypted private key:
    openssl rsa -in webserver.key -out webserver.nopass.key

    Generate a certificate request for your webserver based on the private key:
    openssl req -config /System/Library/OpenSSL/openssl.cnf -new -key webserver.key -out newreq.pem -days 3650

    Sign the certificate request newreq.pem with the Certificate Authority created in step one
    System/Library/OpenSSL/misc/CA.sh -signreq

    Tidy things up by creating a sub directory:
    cd ~/ssl
    mkdir www.example.com
    mv webserver.key webserver.nopass.key newreq.pem newcert.pem www.example.com
    mv demoCA/ CA/
    mv CA/ www.example.com/

    Copy working directory to webserver:
    sudo cp -R ~/ssl /etc/apache2/

    Make a backup of original ssl.conf file and edit:
    sudo cp /etc/apache2/extra/httpd-ssl.conf /etc/apache2/extra/httpd-ssl.conf.original
    sudo nano /etc/apache2/extra/httpd-ssl.conf

    Change the following lines to match the previously created certificates under :
    ServerName www.example.com:443
    ServerAdmin you@example.com
    SSLCertificateFile "/private/etc/apache2/ssl/www.example.com/newcert.pem"
    SSLCertificateKeyFile "/private/etc/apache2/ssl/www.example.com/webserver.nopass.key"

    Comment out the following lines as client-certification is not needed.

    SSLCACertificatePath "/private/etc/apache2/ssl/www.example.com/CA/cacert.pem"
    SSLCARevocationPath "/private/etc/apache2/ssl/www.example.com/CA/crl"

    Make a backup of httpd.conf file and edit:
    sudo cp /etc/apache2/httpd.conf /etc/apache2/httpd.conf.backup-php
    sudo nano /etc/apache2/httpd.conf

    Uncomment the following line:
    # Include /private/etc/apache2/extra/httpd-ssl.conf

    Restart the webserver either from system preferences or using:
    sudo apachectl restart

    Apparently apache was updated to 2.2.15 in Mac OS 10.6.5 and broke the apachectl script resulting in the following error:
    /usr/sbin/apachectl: line 82: ulimit: open files: cannot modify limit: Invalid argument
    Error can be avoided by changing the following line of usr/sbin/apachectl from:
    ULIMIT_MAX_FILES="ulimit -S -n `ulimit -H -n`"
    to
    ULIMIT_MAX_FILES=""