Skip to main content

SSL/TLS Certificate Installation Guide: Apache for Mac OS

User-added image

Purpose: SSL/TLS Certificate Installation Guide

For Apache2 on Mac OS 10.11.6 and up

User-added image

NOTE:
As of November 12, 2024, Entrust introduced a new TLS certificate hierarchy as part of the deployment. The TLS certificate delivery now includes two certificate chains. The delivery of these certificate chains can be in the form of:

  • Individual files. Intermediate 1 (filename: intermediate1.crt ) and Intermediate 2 (filename: intermediate2.crt ) or
  • Concatenate PEM file (filename: CertificateBundle1.pem/CertificateBundle2.pem ) or
  • P7B format file (filename: Certificatebundle.p7b )

Both intermediate/chain certificates must be installed in your environment.

Skip to Installation

Need help generating a Certificate Signing Request (CSR) with this server? See our article here.

Before you begin...

  • Make sure you back up your Apache configuration files before making any changes. If you are replacing an existing certificate, do not delete the existing certificate or private key files in case you need to revert your previous configuration.
  • Never share private keys files.
  • If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).
  • It is best practice to ensure that you have current and up to date Ciphers and Protocols to ensure the best security when deploying a new Private key and Server Certificate.
  • Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.
  • For more information on SSL/TLS Best Practices, click here .

Special notes for installation on using Terminal:

  • You must be able to sudo as root or have root access to the server in order to perform the commands below. Not being able to do so or having such access will lead to a permissions denied error. In this article, we will use the sudo command. If you are able to log in as root, disregard the "sudo" portion of the commands listed in this article.
  • You must have ssl turned on for your Apache server and you must have the site for which you are going to be installing the certificate enabled.

The installation is in four parts

1) Copy the certificate files to your server

2) Configure the Apache server to point  to certificate files

3) Test the configuration was successful

4) Restart the Apache server

Part 1 of 4: Copy the certificate files to your server

1. Extract the certificate files. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a zip file that contains the following files:

  • ServerCertificate.crt: Your signed SSL/TLS certificate
  • ChainBundle1.crt: The Entrust Certificate chain bundled in a single file

User-added image

2. Copy the files to the System Keychain. Double click the ServerCertificate.crt file. On the pop-up that appears, select "System" and then click Add.

User-added image

You will be prompted to provide your Administrator password to continue. Do so and proceed to the next step.

User-added image

3. Keychain Access will open. Make sure you have selected, under Keychains, System . Under Category have selected Certificates . Note the certificate you just imported will appear, however, it will appear with an error.

User-added image

4. Do the same for ChainBundle2.crt to import the Entrust Certification Authority L1K Root and resolve this error. On the pop-up that appears, select "System" and then click Add. You will

User-added image

5. The server certificate file that was previously showing an error will now be valid.

User-added image

Note the location of these files as you will need to know this to complete the next part of this process. The directory should be: ~/Library/Keychains/ , /Library/Keychains/ , or /Network/Library/Keychains/

Part 2 of 4: Configure the Apache server to point  to Apache files

1. Find the Apache configuration file to configure it to point to these certificates. Mac OS's Apache configuration file for your site should be found in /etc/apache2/:

2. Now that you have located the configuration file, you must now edit the file so that your Apache server will point to the certificates you imported previously. You can edit the file either in Terminal or by using Finder to locate the .conf file, opening it in a text editor and editing the file within the text editor.

In the "Virtual Host" section, add the directives shown in bold below if they are not already included in the configuration file. If these directives are already included, simply modify the files that they point to such that each directive is pointing to the latest server certificate, certificate chain, and private key files.

<VirtualHost testcertificates.com:443>
DocumentRoot /var/www/html2
ServerName testcertificates.com
SSL Engine ON
SSLCertificateFile /etc/apache/ssl.crt/ServerCertificate.crt
SSLCertificateKeyFile /etc/apache/key.crt/yoursite.key
SSLCertificateChainFile /etc/apache/ssl.crt/ChainBundle2.crt
<\VirtualHost>

Where:

SSLCertificate file is your Server Certificate file (ServerCertificate.crt)

SSLCertificateChainFile is the Chain bundle file (ChainBundle2.crt)

SSLCertificateKeyFile is your server’s private key that was generated previously

Part 3 of 4: Test the configuration was successful

Test your Apache config with the following command:

sudo apachect1 configtest

Part 4 of 4: Restart the Apache server

Restart your Apache server by running the following command:

sudo apachectl restart

Your SSL/TLS Certificate should now be installed. If you have any questions or concerns please contact the Entrust Certificate Services support department for further assistance.

Hours of Operation:

Sunday 8:00 PM ET to Friday 8:00 PM ET

North America (toll free): 1-866-267-9297

Outside North America: 1-613-270-2680 (or see the list below)

NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

Country Number
Australia 0011 - 800-3687-7863
1-800-767-513
Austria 00 - 800-3687-7863
Belgium 00 - 800-3687-7863
Denmark 00 - 800-3687-7863
Finland 990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France 00 - 800-3687-7863
Germany 00 - 800-3687-7863
Hong Kong 001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland 00 - 800-3687-7863
Israel 014 - 800-3687-7863
Italy 00 - 800-3687-7863
Japan 001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea 001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia 00 - 800-3687-7863
Netherlands 00 - 800-3687-7863
New Zealand 00 - 800-3687-7863
0800-4413101
Norway 00 - 800-3687-7863
Singapore 001 - 800-3687-7863
Spain 00 - 800-3687-7863
Sweden 00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland 00 - 800-3687-7863
Taiwan 00 - 800-3687-7863
United Kingdom 00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088