HTTPS for XAMPP with Self-Signed Certificates

There is an initiative, lead by Google and Mozilla, to deprecate HTTP and migrate all web traffic to HTTPS.

https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

https://blog.malwarebytes.com/101/2017/09/google-reminds-website-owners-to-move-to-https-before-october-deadline/

I am currently working towards migrating all of the sites I support to HTTPS, starting with my development environment, which is using Windows 10 and XAMMP.

I am using several virtual hosts for my projects. These are in the form: website1.local, website2.local, etc. The hosts file maps these back to the localhost (127.0.0.1).

Each of the virtual hosts are defined in xampp\apache\conf\extra\httpd-vhosts.conf as:

<VirtualHost *:80>
ServerName website1.local
DocumentRoot “C:\Users\shipl\htdocs\website1”
<Directory “C:\Users\shipl\htdocs\website1”>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
</VirtualHost>

Create the certificates

The first step is to create the self-signed certificates using the openssl package which is included as part of XAMPP in xampp\apache\bin (I am assuming this is in the PATH, otherwise use the fully qualified command path). I have installed XAMPP in C:\Apps\xampp – change this to suit your own configuration.

This is the script I used:

set XAMPPDIR=C:\Apps\xampp
set HOME=%XAMPPDIR%\apache\conf
set OPENSSL_CONF=%HOME%\openssl.cnf
if not exist %HOME%\ssl.crt mkdir %HOME%\ssl.crt
if not exist %HOME%\ssl.key mkdir %HOME%\ssl.key
openssl req -subj “/C=AU/ST=Victoria/L=Port Melbourne/O=Paul Shipley/OU= /CN=localhost” -x509 -nodes -days 365 -newkey rsa:2048 -keyout %HOME%\ssl.key\localhost-selfsigned.key -out %HOME%\ssl.crt\localhost-selfsigned.crt
openssl req -subj “/C=AU/ST=Victoria/L=Port Melbourne/O=Paul Shipley/OU= /CN=website1.local” -x509 -nodes -days 365 -newkey rsa:2048 -keyout %HOME%\ssl.key\website1-selfsigned.key -out %HOME%\ssl.crt\website1-selfsigned.crt

Note that in the subj only the /CN=xxxxx part is actually required; the rest is just recorded in the certificate to be displayed if required.

Keep this script as these certificates will expire in 365 days, when you will need to create them again.

Configure Apache

Change the default SSL settings in xampp\apache\conf\extra\httpd-ssl.conf. Find these two parameters in the file and change them to use the self-signed certificate.

SSLCertificateFile “conf/ssl.crt/localhost-selfsigned.crt”

SSLCertificateKeyFile “conf/ssl.key/localhost-selfsigned.key”

Change each of the virtual host definitions to enable HTTPS. The default XAMPP host is:

<VirtualHost *:80>
ServerName localhost
Redirect / https://localhost/
</VirtualHost>
<VirtualHost *:443>
ServerName localhost
DocumentRoot “C:\Apps\xampp\htdocs”
<Directory “C:\Apps\xampp\htdocs”>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile “C:\Apps\xampp\apache\conf\ssl.crt\localhost-selfsigned.crt”
SSLCertificateKeyFile “C:\Apps\xampp\apache\conf\ssl.key\localhost-selfsigned.key”
</VirtualHost>

Then my project sites are:

<VirtualHost *:80>
ServerName website1.local
Redirect / https://website1.local/
</VirtualHost>
<VirtualHost *:443>
ServerName website1.local
DocumentRoot “C:\Users\shipl\htdocs\website1”
<Directory “C:\Users\shipl\htdocs\website1”>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile “C:\Apps\xampp\apache\conf\ssl.crt\website1-selfsigned.crt”
SSLCertificateKeyFile “C:\Apps\xampp\apache\conf\ssl.key\website1-selfsigned.key”
</VirtualHost>

Once the new configuration has been saved, stop and start Apache (using the XAMPP Control Panel). The virtual hosts should now work with HTTPS and any references to HTTP will be redirected to HTTPS.

5,090 views

Need help? Let me take care of your IT issues.

Share this page

Scroll to Top