XAMPP: How to set up SSL/HTTPS for local Projects
Tutorial by Stefan Trost | Last update on 2024-04-14 | Created on 2018-03-16
In this tutorial, I would like to show you how to set up your XAMPP configuration in a way that you can access your local PHP projects via SSL and in the browser via an HTTPS URL. You can use that, for example, in the case that your online website is running over HTTPS and you want to use the same link structure also for testing.
In my tutorial about setting up virtual domains, I had already explained the basics of how to define arbitrary domains with XAMPP and Apache, which can then point to a local directory in the XAMPP installation. After this setup, initially, all domains can only be accessed via HTTP in the browser. In order to also allow URLs via HTTPS, the following steps are necessary additionally:
In the following, we would like to go through each of these steps in detail.
Create Certificate
First, we have to create our own SSL certificate. Luckily, XAMPP already has a little script ready for us that we can use and open like this:
- The script can be found in the Apache folder of the XAMPP installation, in a standard installation on Windows this is the path: C:\xampp\apache
- In this folder we find the file makecert.bat, with a double-click on the file we can start the script.
After starting the script, the command line opens, where we only need to follow the instructions. First we have to enter a password for our key, that should look like this.
Generating a 2048 bit RSA private key ............+++ ...................+++ writing new private key to 'privkey.pem' Enter PEM pass phrase:
Here we can enter any password of our desire and then repeat it. Further questions follow, such as country (Country Name), city (Locality) or company (Organization Name). Here we can basically enter what we want or type in a point if we want to leave the field blank. This information will be used later in our certificate. As the "Common Name" (FQDN = Fully Qualified Domain Name) we enter "localhost" instead of a specific domain, since we need the certificate for our local host (we can nevertheless use the same certificate later for URLs of any name, so there is no need to repeat this step for each of our domains). Later, we can skip questions for so-called extra attributes such as for a "challenge password" or an "optional company name" by acknowledging them by entering a dot. Finally we have to repeat the password from the beginning again, then the certificate is created.
The whole procedure looks like this:
Generating a 2048 bit RSA private key ............+++ ...................+++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:NRW Locality Name (eg, city) []:BOT Organization Name (eg, company) [Internet Widgits Pty Ltd]:STT Organizational Unit Name (eg, section) []:WEB Common Name (e.g. server FQDN or YOUR name) []:localhost Email Address []:local@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. Enter pass phrase for privkey.pem: writing RSA key Signature ok subject=/C=DE/ST=NRW/L=BOT/O=STT/OU=WEB/CN=localhost/emailAddress=local@example.com Getting Private key 1 File(s) moved. 1 File(s) moved. ----- The certificate was provided. Press any key . . .
Now our certificate has been created and this step is done. The ready certificate was placed in the folders C:\xampp\apache\conf\ssl.crt and C:\xampp\apache\conf\ssl.key, provided we installed XAMPP in C:\xampp.
Define VirtualHost
In the next step, we have to set up a new VirtualHost for each domain we would like to make able to be called via HTTPS within the file C:\xampp\apache\conf\extra\httpd-vhosts.conf similar to what we did in the first tutorial.
At this point, it's important to know that HTTP is running on port 80, but SSL is on port 443. In the following, we'll define the URL example.com, which can then be called with both http://www.example.com and https://www.example.com afterwards. The first block applies to all requests over port 80 (i.e. for all requests starting with http://...) and looks something like the blocks from the first tutorial. Under DocumentRoot we can specify the root directory again.
# HTTP <VirtualHost *:80> DocumentRoot "C:/xampp/htdocs/myproject" ServerName example.com ServerAlias www.example.com </VirtualHost> # HTTPS <VirtualHost *:443> DocumentRoot "C:/xampp/htdocs/myproject" ServerName example.com ServerAlias www.example.com SSLEngine on SSLCertificateFile "conf/ssl.crt/server.crt" SSLCertificateKeyFile "conf/ssl.key/server.key" </VirtualHost>
The HTTPS requests are defined via the second block "<VirtualHost *:443>" (port 443). The DocumentRoot directory, ServerName, and ServerAlias specifications are identical to HTTP. In addition, now we have to switch on SSL and provide information about our SSL certificate and key. This tells the server that SSL should be used (SSLEngine on) and where to find the corresponding files. As you can see, we have defined the folders where our certificate has just been stored.
In the example here we have only defined one URL that should be reachable via HTTP as well as HTTPS. Each additional domain or URL must be defined in exactly the same way, we can write any number of blocks of this type among each other.
Restart Apache
For our changes to take effect, after saving the changed file, we must now restart Apache. For this, we open the XAMPP Control Panel and click on "Stop" behind the module "Apache" and then on "Start", so that the server restarts with the new configuration.
Add Exceptions
Now we are done with our configuration. However, when we visit one of our freshly defined HTTPS pages in the browser, we may receive the error message "This connection is not secure" with error code SEC_ERROR_UNKNOWN_ISSUER (depending on browser and browser settings). The Firefox browser, as an example, provides the dissuasive text "The owner of ... did not properly configure the site, Firefox did not connect to the site to protect your information from theft." In short, we can not just visit our website.
The reason is that we have created the certificate on our own and Firefox, Chrome and other browsers only trusts certificates from official certification authorities. For our local testing purposes that would of course be exaggerated, so we can confidently click on the button "Add an exception ...". In the dialogue that opens up, we should activate the option "Permanently save this exception", otherwise we will be asked again with each call. Afterwards we can click on "Confirm security exemption" and should now finally be able to see our website via the HTTPS URL.
About the Author
You can find Software by Stefan Trost on sttmedia.com. Do you need an individual software solution according to your needs? - sttmedia.com/contact
Show Profile
Related Topics
Create virtual domains for Apache/XAMPP
Tutorial | 2 Comments
Local Gravity for different Places and Planets
Info | 0 Comments
XAMPP: Call via HTTPS leads to Error 403 (Access Forbidden)
Question | 1 Answer
MySQL: CSV Export as File stored on the Server
Tutorial | 0 Comments
Redirect all HTTP-Requests to HTTPS
Question | 2 Answers
Why is the local gravity at the poles greater than at the equator?
Question | 1 Answer
Delphi: Add Path to Library or Unit for all Projects
Question | 1 Answer
Important Note
Please note: The contributions published on askingbox.com are contributions of users and should not substitute professional advice. They are not verified by independents and do not necessarily reflect the opinion of askingbox.com. Learn more.
Participate
Ask your own question or write your own article on askingbox.com. That’s how it’s done.
It would be nice to know WHICH FILE the virtualhost needs to be put in...
2018-06-10 at 22:31
This tutorial is based on the first tutorial on this topic, so it is the same file that is to be edited here:
C:\xampp\apache\conf\extra\httpd-vhosts.conf
I have added the file path also in this tutorial, I hope this makes it a little clearer.
2018-06-11 at 22:26
Must the specifications from Part 2 of the tutorial be added to the httpd-vhosts.conf in addition to the information from Part 1, so that the httpd-vhosts.conf would look like this:
Or are the blocks described in this tutorial alone sufficient?
2020-01-20 at 06:42
No, not additionally.
You don't need the first section, what you have defined under #HTTP and #HTTPS is sufficient.
In your example, you should incorporate a redirection to HTTPS for the HTTP variant so that the page can only be accessed via HTTPS and people who enter http.. are redirected to https.. automatically.
2020-01-20 at 15:35