Really Simple SSL

How to install an SSL certificate on localhost / MAMP

If you do development on your own machine, then deploy to production, and you have an SSL certificate on your site, it is useful to have SSL on your localhost environment. This guide will walk you through all the necessary steps to get a working certificate on localhost.

The instructions are based on macOS Sierra 10.12.5, using MAMP (Apache) and Chrome 59.

Install MAMP

The first step is to install MAMP. MAMP is a one-click solution for macOS and Windows for setting up a local development environment. It combines free software such as Apache, NGINX, and MySQL and is the software of choice here at Really Simple SSL headquarters.

Generating a self-signed certificate for local use

Since Chrome 58, certificates for use on localhost need to have a SAN, Subject Alternative Name. Getting a certificate with the right properties can be a daunting task, but luckily Alexander Zeitler has written a guide on how to generate a certificate with a Subject Alternative Name. This does involve some messing around with the command line but is not too hard to do. The following steps need to be taken to create a certificate with SAN for localhost:

Generating the certificate

Open up a terminal and type the following:

mkdir ~/ssl/

This will create a directory called ssl in your root folder. We now need to enter that directory by typing:

cd ~/ssl

Next up, create a file named server.csr.cnf by using your text editor of choice, in this case, I’m using vi

vi server.csr.cnf

And copy the following information (for more information about what each field after [dn] does, refer to this guide by Oracle). You can change these attributes to reflect those of your own organization:


default_bits = 2048

prompt = no

default_md = sha256

distinguished_name = dn



ST=New York


O=End Point

OU=Testing Domain

CN = localhost

To save the file, type


Followed by an enter. This will write and quit the file.

Next up create a file named v3.ext

vi v3.ext

And copy the following content:



keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names


DNS.1 = localhost

Write and quit again by typing


You can verify the files are in the directory by typing

ls -la

Which will show all files in the ~/ssl/ directory. Next, paste the following line which will generate a RSA private key:

openssl genrsa -des3 -out ~/ssl/rootCA.key 2048

Next, we will generate the root certificate which will be valid for 1024 days:

openssl req -x509 -new -nodes -key ~/ssl/rootCA.key -sha256 -days 1024 -out ~/ssl/rootCA.pem

Afterwards, we can create the private key for the certificate (server.key):

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )

And finally we generate the certificate (server.crt):

openssl x509 -req -in server.csr -CA ~/ssl/rootCA.pem -CAkey ~/ssl/rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext

This should be it! You can verify the certificate has the SAN by typing the following in the terminal:

openssl x509 -text -in server.crt -noout

Which should contain this line:

            X509v3 Subject Alternative Name:


Adding the rootCA.pem to the list of trusted root CA’s

Before the certificate is accepted by your browser, the rootCA.pem needs to be added to the list of trusted root CA’s. You can do this by opening Keychain Access, click on the ‘System’ keychain and select the ‘Certificates’ category. This should return something like this:

To add the rootCA.pem file, click on the plus sign near the bottom-left corner of ‘Keychain Access’. Add the rootCA.pem file and you will see it listed with a red cross, notifying you the certificate is not trusted.

For the certificate to work, we need to make sure the certificate is trusted. To do so, double-click on the ‘localhost’ certificate, expand ‘Trust’ and in the field ‘When using this certificate’ select ‘Always Trust’, like this:

Exit the menu and your certificate should now look like this:

We are now ready to configure Apache!

Configuring Apache for SSL

The Apache configuration files we need to configure for the use of the certificate are httpd.conf located at /../MAMP/apache/conf/httpd.conf and httpd-ssl.conf located at /../MAMP/apache/conf/extra/httpd-ssl.conf.



Make a backup of your current configuration before you continue!



Configuring httpd.conf

First, open the httpd.conf file and uncomment the following lines:

LoadModule ssl_module modules/

Include /Applications/MAMP/conf/apache/extra/httpd-ssl.conf

It could be these lines are already uncommented or not present. When they are not present you can add them.

Next set the Servername to localhost:443 (make sure there is only one Servername defined in the file)

Servername  localhost:443

These are all changes you need to make in httpd.conf!

Configuring httpd-ssl.conf

Then, in the httpd-ssl.conf file, do the following:

Set Listen to 443

Listen 443

Note: From MAMP 4.4.1 onwards, adding this might not be necessary. If Apache fails to start with the ‘could not bind to address [::]:443′ error, you might have to comment out the ‘Listen 443’ line by placing # in front of it.

Next, find the virtualhost configuration which looks something like this:

<VirtualHost _default_:443>

# General setup for the virtual host
DocumentRoot “/Applications/MAMP/Library/htdocs”
ServerName localhost:443
ErrorLog “/Applications/MAMP/Library/logs/error_log”
TransferLog “/Applications/MAMP/Library/logs/access_log”

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine off

A couple of things need to be changed in this configuration. First, the VirtualHost should be set to *:443, instead of _default_:443. Make sure the DocumentRoot is correct. The ServerName should be changed to localhost:443. Finally, the SSLEngine needs to be set to on. The result should look like this:

<VirtualHost *:443>

# General setup for the virtual host
DocumentRoot “/Applications/MAMP/htdocs”
ServerName localhost
ErrorLog “/Applications/MAMP/Library/logs/error_log”
TransferLog “/Applications/MAMP/Library/logs/access_log”

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

Note: The DocumentRoot might not be necessary anymore from MAMP 4.4.1. onwards. If you see 404 errors on https://localhost but the site works fine on http://localhost, try commenting out the DocumentRoot line (by placing a # in front of it). MAMP might put both DocumentRoots together, resulting in it looking for /Applications/MAMP/htdocs/Applications/MAMP/htdocs, which fails.

Finally, specify the SSLCertificateFile and SSLCertificateKeyFile directives. Add the location of the .crt file you have generated earlier after SSLCertificateFile.

Add the location of the .key file to the SSLCertificateKeyFile directive.

In my case, it looks like this:

SSLCertificateFile “/ssl/server.crt”

SSLCertificateKeyFile “/ssl/server.key”

You can copy the server.crt and server.key file to another directory if you’d like but be sure to define the right path in httpd-ssl.conf.

Visit https://localhost to see if it works:

That’s it! You should now have a local development environment with SSL!

Troubleshooting issues after updating MAMP

After updating MAMP to version 4.4.1. our configuration didn’t work anymore. First we got the following error: could not bind to address [::]:443.

what this means is that apache cannot start because port 443 is already in use. This happens when there are multiple ‘Listen 443’ lines defined. This can be fixed by removing the ‘Listen 443’ line from httpd.conf. Leave the ‘Listen 443’ in httpd-ssl.conf. You can find possible duplicates by running the following command in the Terminal:

grep -r listen /Applications/mamp/conf

This will show all instances of ‘listen’ in the MAMP configuration directory.

Once that error was resolved the SSL certificate was working but all https://localhost requests resulted in a 404 error. This error was happening because the ‘DocumentRoot’ was defined twice, in both httpd.conf and httpd-ssl.conf. Removing the DocumentRoot from the httpd-ssl.conf resolved this issue. Now MAMP is back up and running.

We also experienced that Apache doesn’t write all errors to the apache_error.log file in the /logs/ directory. If that happens, try to restart Apache via the Terminal (command line) using this command:

sudo /Applications/MAMP/Library/bin/apachectl restart

It is possible that restarting Apache in this way will show errors that didn’t make it to the log file, making it a lot easier to troubleshoot issues.




Related articles

27 Responses

  1. I did all of this but now I can’t get the MAMP servers to start. I double checked all of my steps and I can’t find anything I may be missing. Any ideas?

  2. Thanks for a helpful guide, I had the same issue as Gregg, found it was the paths to the server.crt & server.key files, had to set as /Users/USER_NAME/ssl/server.crt & /Users/USER_NAME/ssl/server.key. Hope that helps.

    1. Hi Antonio,

      what are you trying to achieve exactly? In this case the certificate should work for all localhost sites. Let me know if you experience any issues.


  3. Thanks for this valuable post Mark! Unfortunately it does not work yet for me either. I’v followed your steps twice. When I am finished, I restart the servers in MAMP. The Apache server won’t start. The logs in “/Applications/MAMP/Library/Logs” are empty. And there are no new entries in the MAMPS/logs

    I am using MacOS 10.13.1

  4. Hi Charles,

    Does MAMP give an error when you try to start it? Without knowing an error it’s hard to troubleshoot. Did you define the ErrorLog as described in the article? That should write an error_log file, it could be you have defined another location. Otherwise the error should be in the /logs/apache_error.log file, perhaps a php error in the php_error.log file.


    1. Hi Mark,

      When starting the servers from the MAMP application, I get a window requesting my system password saying “MAMP wants to make changes”.

      Yes, I did define the ErrorLog as described in the article.

      I have checked the /logs/apache_error.log file, and the php_error.log file. There are no entries that coincide with the time a tried to start the servers.

    2. Hi Mark,

      I’ve tried it starting with a clean install of MAMP.
      – After the install and BEFORE your modifications for SSL, I checked if both servers start.
      – The MySQL server did not.
      – I’ve changed the MySQL port from 8889 to 8887. Now both servers could be started. I am using port 8888 for Apache.
      – I followed your steps and altered the httpd.conf and httpd-ssl.conf files
      – The apache server does not start.
      – After fiddling around with some settings in the httpd.conf and httpd-ssl.conf files I found out how to get both servers started: I changed in the httpd-ssl.conf file “Listen 8888” to “Listen localhost:8888”

      Now I can open https://localhost:8888/MAMP/?language=English. So the secure connection weems to work for that particular URL.

      Weirdly enough, if I copy a simple index.html file in the htdocs folder, I cannot access it through my browser with https://localhost:8888/index.html

      I’ll keep you posted if I find anything noteworthy. Have a good weekend!

  5. Hi Mark,

    thanks for your post!

    I was searching for a solution when working with CodeKit. CodekIt serves the sites with https://localhost:5757. Normally SSL certificates are not port-specific. Do i really have to specify the 443 port in the Apache (MAMP) configuration? If yes, can i change it from 443 to 5757? I’ll use the localhost URL only with MAMP Pro. So “other” site should not be effected.

  6. Hi,
    Really great post, however I cannot seem to start my apache server. Error log throwing this :
    [Mon Jan 08 11:08:48 2018] [notice] caught SIGTERM, shutting down

    when I restart Mamp, it is asking for admin password as Mamp wants to make some changes.

    Any ideas, really could do with having this working,

    Thanks in advance.

  7. Hi, I have followed your instructions pretty closely and I can’t get it to work. The MAMP server still starts but when I try https://localhost I get:

    This site can’t be reached
    localhost refused to connect.

    Checking the connection
    Checking the proxy and the firewall

    1. Hi,

      a connection refused error is often caused by a misconfiguration on the server. Can you check if port 443 is opened and used for SSL connections? Perhaps a different port is defined or a :443 is missing somewhere in either the httpd.conf or httpd-ssl.conf file.


  8. I get the following error in terminal when attempting the generate the certificate (server.crt)

    Error Loading extension section default
    43292:error:22097082:X509 V3 routines:DO_EXT_NCONF:unknown extension name:/BuildRoot/Library/Caches/
    43292:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:/BuildRoot/Library/Caches/, value=keyid,issuer

    any ideas?

  9. Thanks Mark. Did everything and I am able to load websites OK in Safari but Firefox gives me error :SEC_ERROR_UNKNOWN_ISSUER and I cannot load any local website in Forefox. I Chrome I get site can’t be reached error;ERR_TUNNEL_CONNECTION_FAILED. HELP!

    1. Hi,

      this sound like there’s another issue within your server configuration, the unknown issuer error can be caused by your certificate not being recognized from the keychain. The tunnel_connection_failed error might have to do with a proxy setting in the browser itself. I’d suggest to Google for the error messages and try the solutions that come up.


    1. Hi Freddie,
      I don’t know Moodle, but I would check if there are settings/configurations you need to set for Moodle to load over https. If the basic homepage loads normally this suggests it’s a Moodle configuration thing.

  10. When I reach the step for generating a RSA Key:

    openssl genrsa -des3 -out ~/ssl/rootCA.key 2048

    The command above simply spits out something that looks like this:

    Generating RSA private key, 2048 bit long modulus
    e is 65537 (0x10001)
    Enter pass phrase for /Users/derrickrichardson/ssl/rootCA.key:

    It also asked me for a pass phrase, why? I don’t ever remember specifying a pass phrase. I am not a developer and I don’t know how to get pass this step. Please help.

  11. I went through this whole process and it does not seem to work on Mojave and MAMP 5.3. I followed the entire install instructions and and loaded Really Simple SSL and it say I do not have a certificate installed. Any help greatly appreciated.

    1. Hi,

      if the site says you don’t have a certificate installed, it’s possible that the path to the SSL certificate is incorrect. Can you check what the path to the SSLCertificateFile and SSLCertificateKeyFile options are, and if the files are present in this folder?


  12. Hi, thanks a lot! Followed all instructions including additional steps for MAMP v4 and I’m receiving the following message:

    This site can’t provide a secure connection
    localhost sent an invalid response.

    While trying to access with http:// is still working.

    Inside logs/apache_error.log, just receiving:

    [Wed Jan 27 16:57:41 2021] [notice] SIGHUP received. Attempting to restart
    [Wed Jan 27 16:57:41 2021] [notice] Digest: generating secret for digest authentication …
    [Wed Jan 27 16:57:41 2021] [notice] Digest: done
    [Wed Jan 27 16:57:41 2021] [notice] FastCGI: process manager initialized (pid 42432)
    [Wed Jan 27 16:57:41 2021] [notice] Apache/2.2.34 (Unix) mod_wsgi/3.5 Python/2.7.13 PHP/7.3.9 mod_ssl/2.2.34 OpenSSL/1.0.2o DAV/2 mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_perl/2.0.11 Perl/v5.24.0 configured — resuming normal operations

    1. Hi Marcos

      The ERR_SSL_PROTOCOL_ERROR is caused by a misconfiguration on the webserver. This usually happens when the server sends regular http:// requests over https://.

      Let me know if you have any other questions.

Leave a Reply

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!

Integrate with Really Simple SSL

Really Simple SSL offers a Free SSL Certificate from Let’s Encrypt. Do you want to integrate with Really Simple SSL as a hosting provider? Let us know!

Choose the answer that most closely resembles your proposed integration. Additional information can be entered below.
After sending the form. The pop-up will close automatically.