This tutorial explains how to install an SSL certificate on macOS. It covers importing your certificate and CA bundle with Keychain Access, the older macOS Server (Server.app) workflow that many existing setups still run, and the realistic path for current macOS versions where Server.app is gone.
Important: Apple discontinued the macOS Server (Server.app) product. Web, mail, and most hosting services were removed in 2018, and the app itself was retired in April 2022. The last version, 5.12.2, runs only up to macOS Monterey. The steps below cover both the legacy Server.app method and the current approach.
Generate a CSR code
To activate your SSL certificate, you send details about your domain and organization to the Certificate Authority (CA). This standard step is called a Certificate Signing Request, or CSR. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on macOS.
Submit the CSR during your order. The CA will validate your request and, once approved, sign and issue the certificate. You will receive the certificate files by email. After that, continue with the installation below.
Install an SSL certificate on macOS
The steps below follow the original macOS Server (Server.app) workflow: import the CA bundle and certificate with Keychain Access, then assign the certificate to services in the Server app. If your Mac no longer has the Server app, skip to Current macOS: no Server.app after Step 2, since the Keychain import still applies.
Step 1: Prepare your certificate files
Download the ZIP archive the CA sent you and extract it. You should have a file with a .crt extension (your primary certificate) and a file with a .ca-bundle extension (the root and intermediate certificates, also called the CA bundle). You will also need the private key you created with the CSR.
Step 2: Add the .ca-bundle file to Keychain Access
Start with the CA bundle. It holds the root and intermediate certificates that browsers and clients use to build a trust chain back to a trusted root. Without them, visitors may see a “not secure” or untrusted certificate warning.
- Locate the file with the .ca-bundle extension.
- Open Keychain Access (search for it with Spotlight, or find it in Applications > Utilities).
- Drag and drop the .ca-bundle file into the Keychain Access window. Add it to the System keychain so it applies to all users and services.
- To confirm the import, type your CA’s name in the search bar. You should see the intermediate certificates and the root certificate listed.
You can do the same thing from Terminal, which is useful on a headless or remote server. This imports the bundle into the system keychain:
sudo security import yourdomain.ca-bundle -k /Library/Keychains/System.keychain
Step 3: Add your primary certificate (legacy Server.app)
This step uses the discontinued Server.app. If your Mac no longer has it, see the next section instead.
- Open the Server app and go to Server > Certificates.
- On the main page, double-click the pending certificate (the one created when you generated the CSR).
- In the window that opens, drag and drop your .crt file, then click OK.
- A valid certificate now shows the issuer’s name and the expiration date.
Step 4: Assign the certificate to your services (legacy Server.app)
In the Server app, find the Secure services using setting. Use the drop-down menu to select your SSL certificate. To assign it to specific services such as file sharing or mail, click Custom and choose the services you want to secure. When you are done, click OK.
Your SSL certificate is now installed. To confirm the result and check for common issues, use our SSL Checker.
Current macOS: no Server.app (use Keychain plus Apache or nginx)
Because Apple retired Server.app, current macOS versions have no Server > Certificates screen and no per-service certificate assignment. The certificate import into Keychain Access (Step 2) still applies for system trust, but you serve HTTPS by configuring a web server directly. macOS ships with Apache (httpd) built in, and nginx is available through Homebrew. Place your certificate and key where the server can read them, for example under /etc/ssl/, and keep the private key readable only by root.
Option A: Built-in Apache (httpd)
Edit /etc/apache2/httpd.conf and remove the leading # from these lines so the SSL modules and the SSL config load:
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so
Include /private/etc/apache2/extra/httpd-ssl.conf
First, create a full-chain file (your certificate followed by the CA bundle), which SSLCertificateFile expects on Apache 2.4.8 and newer:
cat yourdomain.crt yourdomain.ca-bundle > yourdomain_fullchain.crt
Then edit /etc/apache2/extra/httpd-ssl.conf and make sure it listens on port 443. This file already ships a default <VirtualHost _default_:443> block with a self-signed certificate, so either edit that block or add the virtual host below and comment out the default, to avoid two hosts on port 443:
<VirtualHost *:443>
ServerName www.yourdomain.com
DocumentRoot "/Library/WebServer/Documents"
SSLEngine on
SSLCertificateFile /etc/ssl/yourdomain_fullchain.crt
SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder off
</VirtualHost>
The paths above assume the private key is in /etc/ssl/private/, which may not exist on macOS by default. Create it first and keep the key readable only by root:
sudo mkdir -p /etc/ssl/private
sudo chmod 600 /etc/ssl/private/yourdomain.key
Test the configuration before restarting, then restart Apache:
sudo apachectl configtest
sudo apachectl restart
You should see Syntax OK from the test. If you get an error, fix it before restarting so the server does not fail to start.
Option B: nginx
If you run nginx, reference the full-chain file and key in your server block, then reload:
server {
listen 443 ssl;
server_name www.yourdomain.com;
ssl_certificate /etc/ssl/yourdomain_fullchain.crt;
ssl_certificate_key /etc/ssl/private/yourdomain.key;
ssl_protocols TLSv1.2 TLSv1.3;
}
sudo nginx -t
sudo nginx -s reload
For configuration management across a fleet of Macs (the role the old Profile Manager filled), use a current MDM solution instead. To verify the installed certificate from any machine, use our SSL Checker.
Frequently asked questions
No. Apple removed most hosting services from macOS Server in 2018 and discontinued the app itself in April 2022. The final release, version 5.12.2, runs only up to macOS Monterey and is not supported on newer macOS versions. On current macOS you import certificates into Keychain Access and configure Apache or nginx directly instead of using the Server app.
Import the CA bundle and your certificate into Keychain Access so the system trusts the chain, then point your web server at the certificate and private key. macOS includes Apache (configured in /etc/apache2/), and you can install nginx through Homebrew. Set SSLCertificateFile and SSLCertificateKeyFile in Apache, or ssl_certificate and ssl_certificate_key in nginx, then test the config and restart the server.
Trusted certificates live in keychains managed by Keychain Access. System-wide certificates go in the System keychain, stored at /Library/Keychains/System.keychain. The certificate and private key files your web server reads can be placed elsewhere, for example under /etc/ssl/, as long as the server configuration points to them and the key stays readable only by root.
Yes. The CA bundle contains the intermediate and root certificates that let browsers and clients build a complete trust chain. If you skip it, some visitors will see an untrusted or incomplete certificate chain warning. Import the .ca-bundle file into Keychain Access, or concatenate it after your certificate into one full-chain file for Apache or nginx.
Open your site in a browser and check the padlock, or query the server from Terminal with OpenSSL to read the certificate it serves:echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
This prints the issuer and the validity dates. You can also run a full external check with our SSL Checker.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


