SSL

It is often important to be able to test your local site setup under SSL (e.g. https://yoursite.com). There are a few steps that are needed to accomplish this with your 'OS X 10.11 El Capitan'-based Apache setup. The first step is to make some modifications to your httpd.conf. Because it's a system file, you will need to use sudo again:

$ sudo nano /etc/apache2/httpd.conf

In this file you should uncomment both the socache_shmcb_module, ssl_module, and also the include for the httpd-ssl.conf by removing the leading # symbol on those lines:

LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
...
LoadModule ssl_module libexec/apache2/mod_ssl.so
...
Include /private/etc/apache2/extra/httpd-ssl.conf

After saving this file, you should then open up your/etc/apache2/extra/httpd-vhosts.conf.

$ sudo nano /etc/apache2/extra/httpd-vhosts.conf

Here you can create a VirtualHost entry for each virtual host that you wish to provide SSL support for.

<VirtualHost *:443>
    DocumentRoot "/Users/your_user/Sites"
    ServerName localhost
    SSLEngine on
    SSLCertificateFile "/private/etc/apache2/server.crt"
    SSLCertificateKeyFile "/private/etc/apache2/server.key"
</VirtualHost>

In this example we have created the VirtualHost for localhost, but it could be any of your existing or even a new VirtualHost.

Certificates

To get this all to work with Apache, we need to create a self-signed certificate that we have already referenced in the VirtualHost definition.

The following commands will often prompt you for information regarding the certificates. For local development you can just hit return to accept the default values.

First generate a key:

$ cd /etc/apache2
$ sudo ssh-keygen -f server.key

Then generate a certificate signing request:

$ sudo openssl req -new -key server.key -out server.csr

Using this CSR, generate the certificate:

$ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The convert the key to a no-phrase key:

$ sudo openssl rsa -in server.key -out server.key

Then all you need to do now is double check your Apache configuration syntax:

$ sudo apachectl configtest

If all goes well, restart Apache:

$ sudo apachectl -k restart

Now simply point your browser at https://localhost. If you are prompted about aself-signed certificate, in Chrome you can hit the Advanced option on that page and proceed while in Firefox you need to expand the I Understand the Risks and add as exception. This is due to the fact that the self-signed certificates are not signed by any authority and for this reasons the browsers add warnings about it. Although, since you are the one who created the certificate, you understand it's safe to accept it.