I've done this successfully using a script I wrote a while back. One of the gotchas seems to be that the "Common Name" should be the server name (or static IP number if you don't have one). This must match the ServerName directive in httpd.conf.
#! /bin/bash echo; echo -e "Generating Certificate Authority (CA) :" openssl genrsa -des3 -out ca.key 4096 echo; echo -e "Generating Certificate Authority (CA) :" openssl req -new -x509 -days 365 -key ca.key -out ca.crt echo; echo -e "Generating Server Key:" openssl genrsa -des3 -out server.key 4096 echo; echo -e "Generating certificate signing request (CSR):" echo -e " ** name entered for Common Name (CN) should match your server name **" openssl req -new -key server.key -out server.csr echo; echo -e "Signing CSR with CA:" openssl x509 -req -days 365 -in server.csr -CA ca.crt \ -CAkey ca.key -set_serial 01 -out server.crt echo; echo -e "Making insecure version of server.key for apache startup" openssl rsa -in server.key -out server.key.insecure echo; echo -e "Renaming server secure/insecure keys" mv server.key server.key.secure mv server.key.insecure server.key sudo cp server.key /etc/apache2/server.key sudo cp server.crt /etc/apache2/server.crt
Still seems to work...
In order to get apache to use the ssl certificates it's necessary to change httpd.conf
First uncomment the LoadModule line to get ssl_module to load:
LoadModule ssl_module libexec/apache2/mod_ssl.so
Uncomment the line in httpd.conf to get the httpd-ssl.conf file loaded:
Now make some changes to httpd-ssl.conf. This file is in the extra/ directory.
Set the ServerName correctly (and the ServerAdmin email address, if you like)
ServerName name.of.your.server:443 ServerAdmin firstname.lastname@example.org
Set the SSLCertificateFile and SSLCertificateKeyFile to the correct file paths:
SSLCertificateFile "/private/etc/apache2/server.crt" SSLCertificateKeyFile "/private/etc/apache2/server.key"
And that should be it. Try loading https://localhost in a web browser. Check the logs if there's a problem.