How to Create Valid SSL in localhost for XAMPP

Chrome browser updates has become a burden for local development. Not only they decided to disable .dev domain for local development, they also really have specific configuration in SSL Cert to show the site as secure.

In this step by step tutorial I will try to explain  the walk-through to create SSL cert locally to be used in XAMPP in Windows.

In my XAMPP install I basically  have a clone to all the site that I managed.  And All of them (of course) use SSL/HTTPS.

Here’s the step by  step guide:

In this step we are going to crate SSL and setup “site.test” website.

1. Navigate to Apache directory in XAMPP.

In regular install it’s in C:\xampp\apache.

2. Create a folder in that page.

This is where we will store our cert. In this example I will create “crt” folder. So we will have C:\xampp\apache\crt

3. Add this files.

4. Edit cert.conf and Run make-cert.bat

Change {{DOMAIN}} text using the domain we want to use, in this case site.test and save.

Double click the make-cert.bat and input the domain site.test when prompted. And just do enter in other question since we already set the default from cert.conf.

Note: I don’t know how to do text replace in .bat script, if you do, let me know in the comment how to do it and I will update make-cert.bat to automatically replace the {{DOMAIN}} with the domain input.

5. Install the cert in windows.

After that, you will see site.test folder created. In that folder we will have server.crt and server.key. This is our SSL certificate.

Double click on the server.crt to install it on Windows so Windows can trust it.

And then select Local Machine as Store Location.

And then Select “Place all certificate in the following store” and click browse and select Trusted Root Certification Authorities.

Click Next and Finish.

And now this cert is installed and trusted in Windows. Next is how how to use this cert in XAMPP.

6. Add the site in Windows hosts

  1. Open notepad as administrator.
  2. Edit C:\Windows\System32\drivers\etc\hosts (the file have no ext)
  3. Add this in a new line:
127.0.0.1 site.test

This will tell windows to load XAMPP when we visit http://site.test You can try and it will show XAMPP dashboard page.

7. Add the site in XAMPP conf.

We need to enable SSL for this domain and let XAMPP know where we store the SSL Cert. So we need to edit C:\xampp\apache\conf\extra\httpd-xampp.conf

And add this code at the bottom:

## site.test
 <VirtualHost *:80>
     DocumentRoot "C:/xampp/htdocs"
     ServerName site.test
     ServerAlias *.site.test
 </VirtualHost>
 <VirtualHost *:443>
     DocumentRoot "C:/xampp/htdocs"
     ServerName site.test
     ServerAlias *.site.test
     SSLEngine on
     SSLCertificateFile "crt/site.test/server.crt"
     SSLCertificateKeyFile "crt/site.test/server.key"
 </VirtualHost>

After that, you will need to restart Apache in XAMPP.  It’s very simple, simply open XAMPP Control Panel and Stop and re-Start Apache Module.

Tips: In XAMPP conf, as you can see you can change the domain root directory if needed. Eg. as sub-dir in htdocs.

8. Restart your browser and Done!

This is required to load the certificate. And visit the domain on your browser, and you will see green lock!

I hope this tutorial is useful!

If you already use other method, let me know in the comment 🙂

228 Comments

  1. Wolverine

    In step 7,

    1- I paste the code in httpd-xampp.conf
    2- then I stop the xampp (Apache)
    3- Then I start it (in this part the Apache does not work)

    now if I remove the code, the apache if it works but if I paste it again it stops working

    Is there anything else to do in this part?

    Thank you

    • Hakim Douib

      i have the same problem and my selotion was that i need to fix the path to the ctr and key . becouse whane you change the site.site to your domain for me was localhost i forget to change it in script
      SSLCertificateFile “crt/localhost/server.crt”
      SSLCertificateKeyFile “crt/localhost/server.key”

    • Drachsi

      Does that mean I cannot use .dev on my local pc just for testing?
      Regards
      Drachsi

      • Ian

        That is correct. Google bought the .dev registry from ICANN Dec 2017 for their own internal use and closed down any external use of it.
        The alternatives are to use an undisputed TLD. .test .example and .localhost are all protected by ICANN, so one of those is the best option.

        We’re all in the same boat here.

        • Drachsi

          Thank you very much. No wonder I was having problems, nobody but you mention that.
          Regards
          Drachsi

    • Chad

      Sorry Ian, you are correct. I am on Firefox which does work with .dev, but Chrome does not – Even though the windows hosts file maps my .dev site to 127.0.0.1, that’s pretty sad of Google.

  2. Yvon

    i Followed instructions, but my appach does not start anymore.
    it displayed
    11:04:24 [Apache] Status change detected: running
    11:04:25 [Apache] Status change detected: stopped
    11:04:25 [Apache] Error: Apache shutdown unexpectedly.
    11:04:25 [Apache] This may be due to a blocked port, missing dependencies,
    11:04:25 [Apache] improper privileges, a crash, or a shutdown by another method.
    11:04:25 [Apache] Press the Logs button to view error logs and check
    11:04:25 [Apache] the Windows Event Viewer for more clues
    11:04:25 [Apache] If you need more help, copy and post this
    11:04:25 [Apache] entire log window on the forums

    how can i fix it?

  3. Ian

    Apache is missing dependencies possibly caused by trying to start before the certificate has been created
    Apache cannot find the path
    Access was denied.

    Was the SSl saved – check the directory. Is it there, is the path correct?
    If you rerun it, delete the previous directory.

    Hosts file – must be edited with elevated priviledges and save as host – not host .txt or any other extension.
    In the conf file, ensure the first module is port 80 and the second module is port 443. you still need port 80 to be there even though you are using SSL

    Do you have a .htaccess file in your root, it may be denying you. Add an Allow directive to both modules

    DocumentRoot “C:\xampp\htdocs\example.test”
    ServerName testsite.test

    Order allow,deny
    Allow from all

    DocumentRoot “C:\xampp\htdocs\example.test”
    ServerName example.test
    SSLEngine On
    SSLCertificateFile “C:/xampp/apache/crt/example.test/server.crt”
    SSLCertificateKeyFile “C:/xampp/apache/crt/example.test/server.key”

    Order allow,deny
    Allow from all

  4. Ian

    Getting the not secure message but are you getting the green padlock? If it’s red you may have not completed a step.
    If it’s green It could be something as simple as cache needing a deep clean.
    What are you putting in the address bar and what is being returned.
    Are you calling for localhost/mysite.test where you should be requesting mysite.test.
    Try qualifying the url with the protocol by prefixing https://

  5. Felix

    Hi man, thanks for the tutorial! I followed all the steps (twice), using .test domains but I still get the non secure screen with this error NET::ERR_CERT_COMMON_NAME_INVALID.

    I think is weird because I’m sure that in the CERT COMMON NAME I entered the domain I was cofiguring… for test purposes: secure.test.

    If anyone have this problem and has any suggestion…

    Thanks!

  6. Felix

    Nevermind… I just replaced just one {{DOMAIN}} in the conf file and there was two. Working perfect! Thanks!

    • Neovorg

      Nice, I was also getting the same errors as you and found out that yep: there aer two {{DOMAIN}} in the conf file, edited both of them and voila, it worked!

      • Leo

        I got no successful result until I found second {{DOMAIN}} by your post!
        It is working well now 😀

  7. Gunther Jerschabek

    Hi, thank you very much for this brilliant tutorial. Works perfectly in Chrome Version 68.0.3440.106, IE 10 and Opera 54.0 .
    – Didn’t seen the second {{DOMAIN}} to replace at the very end of cert.conf.
    – Was required to clear browser caches.
    -After ‘Unsecure connection’ warning needed some time to find my forgotten point at the end of URL: NOT site.test BUT site.test.
    This works perfectly for me: https://site.test.

  8. Stacy

    Thanks , this worked for me. The only thing you need to do is instead of editing
    C:\xampp\apache\conf\extra\httpd-xampp.conf
    We need to add test domain in
    C:\xampp\apache\conf\extra\httpd-vhosts.conf

  9. Cyber Valdez

    If you’re having this problem when using file_get_contents or curl:
    “file_get_contents(): SSL operation failed with code 1.”

    Make sure to comment out the following line in php.ini
    openssl.cafile=”C:\xampp\apache\bin\curl-ca-bundle.crt”
    to:
    ; openssl.cafile=”C:\xampp\apache\bin\curl-ca-bundle.crt”

    This makes it so it will use the OS managed certificates.

  10. Jeff Matumi

    Hay your plugins are great but mostly outdated. please refresh your plugins on wordpress.org 😉 thanks.

  11. Roy

    Hi,tried allsorts certificate wrong signing xampp won’t run.please help i need localhost to work for developing my daughters website.
    It did work last week all changed when windows 10 updated.
    My address is localhost/waggybum/index.php
    certificates stored where you said. I used localhost/waggybum for them ?? it would be great if you can help also the virtual files done.
    Best regards Roy

    • David

      I’m not 100% sure, but SSL cert is only for top level domain (?)
      So maybe need to create ServerName on your xampp (part #7)

      I hope this helps!
      have fun debugging 🙂

  12. Ian

    Roy,
    from the way I read your problem, you are trying to call your website using a file path (localhost/waggybum/index.php) when you should be calling a url (example.test).

    You need to define waggybum.test in Hosts file (127.0.0.1 waggybum.test) or (localhost waggybum.test) as in Section 6.

    Follow the instruction replacing site.test with waggybum.test.

    • roy

      Hi thx for your help i created certificate from your website
      I tried downloading firefox 3.6 very old one but still would not work with localhost i also took updates off windows 10 to nothing would work yet 2 weeks ago everything was working well

  13. roy

    hi did this renamed the directory where my php programs are to waggybum.test.
    in windows host 127.0.0.1 waggybum.test
    ## site.test

    DocumentRoot “C:/xampp/htdocs/waggybum.test”
    ServerName waggybum.test
    ServerAlias *.waggybum.test

    DocumentRoot “C:/xampp/htdocs/waggybum.test”
    ServerName waggybum.test
    ServerAlias *.waggybum.test
    SSLEngine on
    SSLCertificateFile “c:/xampp/apache/crt/waggybum.test/server.crt”
    SSLCertificateKeyFile “c:/xampp/apache/crt/waggybum.test/server.key”

    Now says can’t find site

  14. Ian

    uninstalling updates may not be enough.
    If you have restore enabled, try restoring to 2 weeks previous.

    Win 10 update may have changed something.
    Is xampp actually working?

  15. roy

    ignore last comment forgot to take # off 127.0.0.1

    But now waggybum.test uses an invalid security certificate.

  16. Ian

    Did you forget the ports? Virtualhost file should look like this..

    ###### DomainName.test #######

    DocumentRoot “C:\xampp\htdocs\DomainName.test”
    ServerName DomainName.test

    Order allow,deny
    Allow from all

    DocumentRoot “C:\xampp\htdocs\DomainName.test”
    ServerName DomainName.test
    SSLEngine On
    SSLCertificateFile “C:/xampp/apache/crt/DomainName.test/server.crt”
    SSLCertificateKeyFile “C:/xampp/apache/crt/DomainName.test/server.key”

    Order allow,deny
    Allow from all

  17. Ian

    Cut/paste is n’t working very well. What I was trying to show was VirtualHost DomainName.test:80 on the first section and VirtualHost DomainName.test:443 on the second.

  18. Sixten Kangas Gustafsson

    have now few problem:
    have now fix so it work but its only work (say) it secure on host computer,
    and not on other computer
    2:end problem : can’t get to http:// to work only https://

    • Ian

      2: You don’t want http, you only need https (s = secure) The web is moving to greater security. Forget http.

      1: Be aware that XAMPP is a development environment and should not be used for production as it is not secure enough, (if that’s what you are trying to do).
      As far as I am aware, these instructions are for a single computer setup, not for setting up a LAN.

      • Sixten Kangas Gustafsson

        2: i want if u go in http u redirect to https.

        1. okey, it is not for lan, it is for public website not sure why it only works on lan https, block or something for the public not sure how to change that.

        • Ian

          Sixten, the instruction written by David are to allow you to have a fully functioning DEVELOPMENT environment. Nothing more.

          If you are are trying to move your production site from http to https then I suggest you contact your host to set up an SSL for you. Typical cost is $60 but your host may provide free SSL such as https://letsencrypt.org/

          You will probably need to change your .htaccess file too.
          You can get a ton of help and information at https://www.webmasterworld.com/home.htm

  19. roy

    This is just to develope my website on local laptop using xampp used to work great 2 weeks ago my real site is with 123reg and is ssl at present waggybum.co.uk as an index page which you can click on to etsy till i write the site as a shopping cart.most of it is done till this happened.

    OK in windows i set 127.0.0.1 waggybum.test
    in certificate creation i put waggybum.test
    on my localsite i changed php files directory from waggybum to waggybum.test
    these are my virtual host settings

    ## site.test

    DocumentRoot “C:/xampp/htdocs/waggybum.test”
    ServerName waggybum.test
    ServerAlias *.waggybum.test

    DocumentRoot “C:/xampp/htdocs/waggybum.test”
    ServerName waggybum.test
    ServerAlias *.waggybum.test
    SSLEngine on
    SSLCertificateFile “c:/xampp/apache/crt/waggybum.test/server.crt”
    SSLCertificateKeyFile “c:/xampp/apache/crt/waggybum.test/server.key”

    • Ian

      it should work if you have gone through the whole procedure. Don’t forget every time you generate a new certificate you also need to re-install it.

      • roy

        if I look at certificate view on webpage it says waggybum.test but in the curly brackets ??

      • roy

        Great all working had an .htaccess file in my waggybum.test which I downloaded from my real website forgot all about it but this redirects everything to https took it out and all working thx very much for all your help regards Roy

      • roy

        it works with just typing localhost as well as waggybum.test
        both take me to my index.php file great

    • Ian

      how are you trying to access site.test??
      if you are trying to click on the file from windows explorer, you will get file:///C:/xampp/htdocs/site.test which bypasses the web server completely and is not what you want.

      if you followed the instructions correctly you should be able to just enter site.test or https://site.test in the browser.

  20. mir

    Two computer are in Same wifi zone.
    one computer has XAMPP Server.
    it is perfectly working from the same computer where the server is installed.
    but I am trying to access the site from other computer which is in the same lan or wifi zone.
    From other computer, all the sites are accessible from the ip address(Server computer). like http:\\192.167.0.52\sitename\
    i want to access from other computer using https:\\site.test\sitename\
    kindly help

    • Ian

      localhost and 127.0.0.1 are port loopbacks on a single machine.
      to access from a different machine you will need to use the xampp machines ip address or computer name.

      get your xampp machine name (ie. my-computer)

      from your other machines browser you will need to use
      https:// my-computer/rest of the path

  21. mir

    hi,
    sorry to late reply.
    all the functionality of the web app is working fine using
    https:// my-computer/rest form other computer but in the left corner of address bar its displaying that your connection is not secure.
    but in xampp computer, when i use the url(https://site.test/rest) then it works and displays “connection is secure”.
    How can I make the connection secure from other computer?

  22. Drachsi

    Hi,

    I think I have done everything as shown, but when I go to https://name.test I see error message “Your connection is not secure”

    localhost/name/ and shows the basic WP Theme
    localhost/name/wp-admin/ lets be do admin ok.
    name.test loads but then turns into name.test/dashboard

    How can I identify the problem?
    Thanks to everybody that post their ideas and problems, helped me get this far. I am in my late 70’s, things just take longer.
    Regards
    Drachsi

    • Drachsi

      I had hoped somebody could have helped me with an answer to my question. Is it so difficult?
      Regards
      Drachsi

      • Ian

        Hi Drachsi,
        I’m not a WordPress person ( I roll my own CMS) but it looks like your index.php has a default link to dashboard.

        Look in your index.php for a link with /dashboard in it, comment it out and see if that works.

        • Drachsi

          Hi,

          I am trying hard.
          I checked index.php in the main site.test directory, only loads the Theme and wp-blog-header.php

          Then checked in wp-admin and have this index.php

          —-
          code removed by admin. please use github gist/pastebin or other way to display code.
          —-

          https://site.test shows message " Your connection is not secure" clicked on the "advanced" link and message is

          "The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT"

          Hope you can help.
          Regards
          Drachsi

    • Ian

      Jerome, if you have only changed your http port from 80 to 7070 because of conflict, it shouldn’t matter.
      Just change ALL references of 80 to 7070, likewise if you have changed the https port number.

  23. Drachsi

    I have tried everything, but still get the message
    “The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT”

    What did I do wrong? I am using Firefox.
    Regards
    Drachsi

    • Ian

      I don’t use FF for actual dev work, only for reviewing so I am just suggesting what you might try.
      You need to add a security exception to Firefox browser.
      I just tried this on one of my test sites and it works perfectly.

      This is what I did:

      Go to Tools > Options > Privacy & Security > Certificates
      Click on View Certificates
      In the Certificate Manager select Servers then Add Exception.
      In the Location field add example.test after the https://
      Click Get Certificate
      Check Permanently store this exception
      then Confirm Security Exception
      Click Ok to exit.

  24. Kggh

    I am able to see makecert.bat in apache but no file named cert.conf..where is it?

    • Ian

      you are looking at the wrong file. What you are looking at is apaches default. Forget that file.

      You need to follow Davids script exactly.

      The files you need are in step 3. Also look at Adrian Suters solution in the comments.

  25. Sudhakar

    Thank you so much for an excellent Tutorial David. After three days of struggle with security certificates and related processes, I found your tutorial and it worked like a charm. I used the model with independently installed Apache server (without XAMPP) on Windows Server 2016.

  26. Dario

    I have tried to generate a certificate with a “*” wildcard for ALL subdomains of localhost, but is not working. I have tried:
    [alternate_names]
    DNS.1 = *.localhost
    DNS.2 = myapp.localhost
    DNS.3 = localhost

    In this case is working for myapp.localhost but not for anotherapp.localhost
    ¿this can be made? If it can be made… ¿what can be wrong?

    My Apache VirtualHost configuration is as follows (the same for anotherapp.localhost but with another DocumentRoot & Directory):

    DocumentRoot “E:\workspace\myapp\public”
    ServerName myapp.localhost
    ServerAlias localhost (I have tried with *.localhost also)
    SSLEngine on
    SSLCertificateFile “E:\crt\localhost\server.crt”
    SSLCertificateKeyFile “E:\crt\localhost\server.key”
    SSLOptions +StdEnvVars

    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Require all granted

    Thanks in advance!

  27. Edwin

    I couldn’t get any of the above to work. I had to do the following corrections then it worked perfectly.

    When you replace both instances of {{DOMAIN}} *do not* leave the brackets. The word and brackets should be replaced with your virtual domain name.

    e.g. “{{DOMAIN}}” becomes “mysite.local”.

    Personally I think it would be clearer without the brackets but perhaps they’re there for a reason.

    If you are converting an existing virtual domain to a secure virtual domain it is also *imperative* to delete the cookies for that domain. You can do this by right clicking on the favicon in the Chrome browser address bar and selecting “cookies”.

    In my case after doing the above it worked.

    You can check if your self signed certificate looks correct by viewing it in certmgr.msc on Windows. That’s how I found out I had brackets in my naming where the other certificates did not.

    Finally I had a problem with PHP not recognising my certificate. If this happens for you, you can fix it by opening php.ini and searching for and commenting out the line that begins with ‘openssl.cafile’. If you read the comments above that line it will recommend you comment it out anyway as PHP will then read your OS certificates which is what you actually want.

    Great tutorial and the only one that got it all working for me.

  28. Darius

    You missed spelled the word create.
    For your reference: In this step we are going to crate SSL and setup “site.test” website.

  29. Andy

    Great tutorial and worked the first time for me. Entering https://site.test/ now in the browser shows the Xampp splash screen.

    Where do I now put my local development website on the computer? Before I added the ssl under http, it used to be in the directory c:\Xampp\htdocs\{mywebsite}. Do I still use the same location?

    • Ian

      Yes, the site is in the same place. The only thing changing is the protocol.

      Might I suggest that you did not get it to work first time when you returned the splash screen for xampp. You will get that just by typing localhost into the browser.

      Add your site to c:\Xampp\htdocs\{mywebsite} and retest.

  30. Andy

    Ok, my https development site works now, except that the certificate is not valid and I get a red “Not Secure”. I created the certificate as per instructions above for site.test. My website is located in the directory C:\xampp\htdocs\mycbc and I am starting the website with the command /localhost/mycbc/.
    The error message says that the certificate is for site.test and is not valid for the development site I am opening.
    Any suggestions on how to make the certificate valid for my development site?

    • Ian

      Andy, I think you may have misunderstood the instructions.

      David used site.test in his instructions only as an example. You need to replace any/all reference to site.test with your own sitename.

      Redo using mycbc.test throughout the script.

      Start the website with mycbc.test or https://mycbc.test

      Good luck

  31. Andy

    Interesting, I believe that I followed all the steps correctly, yet:

    When I enter https://localhost/mycbc/, the local website loads, but with a warning that the site is insecure.

    When I enter https://mycbc.test, the local website does not load (instead the default Xampp screen pops up) and a warning that the site is insecure.

  32. Stefan

    Hey man, on my Google Chrome it shows it as a secure site (https’s okay), on firefox it doesn’t. When my friend’s trying to connect to it on either chrome/firefox it shows my site as insecure..Do you have any ways of fixing this?
    Thanks in advance!

  33. Dan

    3 Things I had to do to get it to work (maybe an update is needed?):
    1.) {{DOMAIN}} got me like others… (as this is a programming construct), REMOVE THE BRACKETS NOT JUST THE WORD DOMAIN LIKE I DID!
    2.) openssl location: I had to change the path in the bat to ..\apache\bin\openssl
    3.) Virtual Host: Had to use the httpd-vhost.conf file instead of the httpd-xampp.conf file the instructions indicate in step 7.
    Nevertheless, thank you for your instructions! Very helpful.

  34. Tony

    First I want to say thanks for putting this together. I had a few issues with getting this to work, then I just read the replies and found my answer. Now I just have to get the redirect from http to https to work without having to type in https whenever I want to view my local page development in a secure connection mode.

  35. Joshy

    I tried everything it didn’t work, someone help me please. I’m working on a school project right now.

  36. Ian

    You’re not being very specific Joshy.
    Did you follow the script exactly?
    What are you putting in the browser?
    What errors are you getting back?

    • Robson

      I have just changed the location of openssl since I am not using XAMPP. I am using WAMP 3.1.0 instead.

    • Chris Hailey

      Hi,
      I’ve spent hours on this without success.
      Can someone who has got it working post the relevant sections form the critical files? I think that means httpd-vhosts.conf at least & possibly anything else modified. I assume from the comments that httpd-xampp.conf is not actually modified; the changes are to do with virtual hosts.
      My problems are in getting https:// access working, my insecure http:// links work fine, so my basic xampp configuration is working.

      • Supermavster

        Hello,

        I want to suggest my software in this publication, you just have to write the domain and the location of your project, after that, everything is automatic.

        • Chris

          Hi Supermavster,
          I did visit your site yesterday, but I only speak English & even with the help of Google Translate I was unable to get your downloads.

      • Chris

        I eventually got vhosts working, so I append some notes in the hope that they might help others…

        The following notes apply to a 64-bit Windows 10 Home Edition, build 1810, running xampp-win32-7.3.0-0-VC15. These notes detail what I did to get the secure virtual hosts working, having previously configured xampp to work on the laptop.

        The make-cert.bat & cert.conf files work as intended, although I modified my cert.conf to offer several defaults to suit my circumstances. As mentioned by several people, the {{DOMAIN}} marker must to be replaced by your actual virtual domain (eg, oak.test).

        The certificate installation process is straightforward enough, but if you have to repeat it for a virtual site then I would first delete the previously created server.crt & server.key files manually.

        The modifications to the hosts file are straightforward, but in Win 10 at least I found that actually saving the file requires that you open in editor in administrator mode even if you are logged in as an administrator user.

        I did not modify the httpd-xampp.conf file as recommended; as stated by several people, I think the information is best provided in the httpd-vhosts.conf file. My additions to that file are given below:
        #——————–
        NameVirtualHost *:80

        ServerAdmin oakAdmin@gmail.com
        ServerName oak.test
        Redirect / https://oak.test/
        ErrorLog “logs/oak-test-error.log”
        CustomLog “logs/oak-test-access.log” common

        ServerAdmin oakAdmin@gmail.com
        ServerName oak.test
        DocumentRoot “D:\dataOak\web”
        SSLEngine on
        SSLCertificateFile “C:/xampp/apache/certs/oak.test/server.crt”
        SSLCertificateKeyFile “C:/xampp/apache/certs/oak.test/server.key”
        ErrorLog “logs/oak-testSSL-error.log”
        CustomLog “logs/oak-testSSL-access.log” common

        ## I’d like to use either localhost and/or oak.test, but it’s one or the other so far 🙁

        ##NameVirtualHost oak.test:80
        #
        # ServerAdmin oakAdmin@gmail.com
        # DocumentRoot “D:/dataOak/web”
        # ServerName localhost
        # SSLEngine on
        # SSLCertificateFile “C:/xampp/apache/certs/localhost/server.crt”
        # SSLCertificateKeyFile “C:/xampp/apache/certs/localhost/server.key”
        # ErrorLog “logs/localhostSSL-error.log”
        # CustomLog “logs/localhostSSL-access.log” common
        #
        #——————–

        There are several points to note regarding the vhosts settings above.
        1. In the end I provided certificate full paths in preference to relative paths
        2. Several people suggesting adding ALLOW directives, but I had lots of problems with them, typically the apache server wouldn’t even start. Eventually I removed them all & my installation works as required.
        3. I’d still like to have secure localhost & oak.test vhosts, but in all my testing I only managed to get one or the other working, never both, so I must be doing something wrong.
        4. My vhosts are configured to force secure connections, it’s what I want.

        One general point.
        5. During testing I often thought the set-up was working, but it didn’t survive a reboot, so I did a lot of reboots in the end 🙂 I also think some set-ups didn’t work until after a reboot. In other words, I suspect that stopping/starting the apache server isn’t always sufficient after you have made configuration changes. This behaviour is very frustrating & may partly explain why I had so much difficulty in getting a working configuration.

  37. Chris

    I finally got a working configuration, so for the benefit of others still trying:

    The notes apply to a 64-bit Windows 10 Home Edition, build 1810, running xampp-win32-7.3.0-0-VC15. The following notes detail what I did to get the secure virtual hosts working, having previously configured xampp to work on the laptop.

    The make-cert.bat & cert.conf files work as intended, although I modified my cert.conf to offer several defaults to suit my circumstances. As mentioned by several people, the {{DOMAIN}} marker must to be replaced by your actual virtual domain (eg, oak.test).

    The certificate installation process is straightforward enough, but if you have to repeat it for a virtual site then I would first delete the previously created server.crt & server.key files manually.

    The modifications to the hosts file are straightforward, but in Win 10 at least I found that actually saving the file requires that you open in editor in administrator mode even if you are logged in as an administrator user.

    I did not modify the httpd-xampp.conf file as recommended; as stated by several people, I think the information is best provided in the httpd-vhosts.conf file. I provide the additions to the file as a separate post.

    During testing I often thought the set-up was working, but it didn’t survive a reboot, so I did a lot of reboots in the end 🙂 I also think some set-ups didn’t work until after a reboot. In other words, I suspect that stopping/starting the apache server isn’t always sufficient after you have made configuration changes. This behaviour is very frustrating & may partly explain why I had so much difficulty in getting a working configuration.

  38. Chris

    My additions to the httpd-vhosts.conf file, as promised:
    #——————–
    NameVirtualHost *:80

    ServerAdmin oakAdmin@gmail.com
    ServerName oak.test
    Redirect / https://oak.test/
    ErrorLog “logs/oak-test-error.log”
    CustomLog “logs/oak-test-access.log” common

    ServerAdmin oakAdmin@gmail.com
    ServerName oak.test
    DocumentRoot “D:\dataOak\web”
    SSLEngine on
    SSLCertificateFile “C:/xampp/apache/certs/oak.test/server.crt”
    SSLCertificateKeyFile “C:/xampp/apache/certs/oak.test/server.key”
    ErrorLog “logs/oak-testSSL-error.log”
    CustomLog “logs/oak-testSSL-access.log” common

    ## I’d like to use either localhost and/or oak.test, but it’s one or the other so far 🙁

    ##NameVirtualHost oak.test:80
    #
    # ServerAdmin oakAdmin@gmail.com
    # DocumentRoot “D:/dataOak/web”
    # ServerName localhost
    # SSLEngine on
    # SSLCertificateFile “C:/xampp/apache/certs/localhost/server.crt”
    # SSLCertificateKeyFile “C:/xampp/apache/certs/localhost/server.key”
    # ErrorLog “logs/localhostSSL-error.log”
    # CustomLog “logs/localhostSSL-access.log” common
    #
    #——————–

    There are several points to note regarding the vhosts settings above.
    1. In the end I provided certificate full paths in preference to relative paths
    2. Several people suggesting adding ALLOW directives, but I had lots of probelms with them, typically the apache server wouldn’t even start. eventually I removed them all & my installation works as required.
    3. I’d still like to have secure localhost & oak.test vhosts, but in all my testing I only managed to get one or the other working, never both, so I must be doing something wrong.
    4. My vhosts are configured to force secure connections, it’s what I want.

  39. Chris

    Well, I’ve tried posting the additions to the vhosts several times but all the posts were blocked. No indication of why so I’m giving up now.

  40. Lukas

    Hello, thanks for this tutorial.
    It works in Chrome or Opera but the problem is with FF.
    Even if i add exception in FF Certifications settings, the padlock is not green – just orange with information about not secure connection. Site work but it is incomplete solution.
    Do you know what I can do about it?

  41. LeonM

    As others have noted this solution works fine for Chrome and Opera, but not completely for Firefox (it will work if you add a security exception, but shows a yellow warning icon instead of a green padlock).

    I believe the fix is to add a PEM, but I’m not sure how to do that for multiple domains with subdomains.

    My setup is typically like this (many projects):
    # Project 1
    example.test
    http://www.example.test
    es.example.test
    fr.example.test

    # Project 2
    example-two.test
    http://www.example-two.test
    es.example-two.test
    fr.example-two.test

    If anyone knows how to add a PEM for this scenario please post a gist.

  42. amar

    Works well for me, on Windows 10 Pro 1809 (OS Build 17763.316); Using xampp 7.3.2 / PHP 7.3.2

  43. Alcides

    In case it’s worth it step 7 pasted in httpd-vhosts.conf instead httpd-xampp.conf work for me. Thank a lot, very useful post.

  44. Bronwyn

    Worked without any issues. This is something I had been struggling with for a while, thank you!

  45. likhith

    Hello,
    I followed the same steps, but after complication of make-cert. The folder site.test is created, but inside site.test folder instead of server.crt only server file is created. Can anyone please help me

  46. likhith

    Hello,
    I followed the same steps, but after complication of make-cert. The folder site.test is created, but inside site.test folder instead of server.crt only server file is created. Can anyone please help me to solve this

  47. Leo

    I got no successful result until I found second {{DOMAIN}} by your post!
    It is working well now 😀

  48. Dennis

    Great tutorial but I struggled for a few hours to get this to work.

    If the above info does not work for you, you might want to try this one?

    In the post the settings are:

    DocumentRoot “E:/xampp/htdocs”
    ServerName test.local
    ServerAlias *.test.local

    DocumentRoot “E:/xampp/htdocs”
    ServerName test.local
    ServerAlias *.test.local
    SSLEngine on
    SSLCertificateFile “crt/to.local/server.crt”
    SSLCertificateKeyFile “crt/test.local/server.key”

    When I used the above code, I was taken to the xampp dashboard when visiting my site but adding my domain to DocumentRoot I was able to access my site.

    You might have to add your domain into the DocumentRoot as follows:

    DocumentRoot “E:/xampp/htdocs/test.local”
    ServerName test.local
    ServerAlias *.test.local

    DocumentRoot “E:/xampp/htdocs/test.local”
    ServerName test.local
    ServerAlias *.test.local
    SSLEngine on
    SSLCertificateFile “crt/to.local/server.crt”
    SSLCertificateKeyFile “crt/test.local/server.key”

    As I have the latest xampp (when this is written, XAMPP for Windows 7.3.4) I got 500 error when accessing the https://localhost/dashboard/ after adding the code into both these files

    C:\xampp\apache\conf\extra\httpd-xampp.conf
    We need to add test domain in
    C:\xampp\apache\conf\extra\httpd-vhosts.conf

    I added into:
    E\xampp\apache\conf\extra\httpd.conf
    and got my xampp dashboard back.

    Also, on line 10 in the “make cert”, you might want to extend your cert up to 10 years by changing the days from 365 to 3652, or you might have to run this process again in one year!

    Thanks for this great tutorial.

  49. Angrej Kumar

    Thanks for such a descriptive Post for explaining SSL on local server.

    You can edit .bat file by just open with a text editor. Or just drag the file to a text editor.

    Thanks Again!

  50. Anil Prajapati

    You are a Legend!!!! works like a charm !!

    Thank you very much. I found your blog first in my result and worked in the first try so really, loved it. Thank you very much for the blog.

  51. Helveticus

    Great article !! Thanks for publishing this tutorial. It saved me tons of hours.

    Some caveats to keep in mind :
    1. If the ‘xampp’ folder is located on a different drive (say D:), full path specs are needed in ‘make-cert.bat’ (ie OPENSSL_CONF=D:/xampp/apache/conf/openssl.cnf, etc).
    2. Use”httpd-vhosts.conf’ instead of ‘httpd-xampp.conf’.

  52. shany

    hi, thank for this tutorial , its very clear!!!!
    i do all the levels, but its work only on my server ,where the xampp place.
    when i enter to my domain in different computer, the https not working.
    do you know why??

  53. salomoon

    Yes it works! Chrome is so stupid to trust to this fake website. Now i can record video. I had blog, please visit it too

    • Arid

      Hi Salomoon. Appreciate if you could share the link for your record video so that i can refer on each steps that you performed ssl on xampp. I looked into your blog but still not has a video as what you said. Thank you.

  54. m.ayazbariwala

    its works on my xampp, but https not working while request from another system(virtual host)

  55. ekta

    Hi

    I have done all steps but still connection is not secure.

    It is showing certificate has different purpose.

  56. Pau

    Hi, cant find or browse the Trusted Root Certification Authorities… How can i add this? thank you.

  57. gelwin

    Access forbidden!
    You don’t have permission to access the requested directory. There is either no index document or the directory is read-protected.

    If you think this is a server error, please contact the webmaster.

    Error 403
    localhost
    Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/7.3.8

    I got this error please help me

  58. Alex

    Hey guys

    what if I want to use a signed cert from a Certification Authorities like Verisign or Comodo I have a system with a static IP (192.168…) but hosted locally on XAMPP.

  59. Dan Hamm

    Hi David
    Came across this a couple of days ago; it looks useful, and I’ll set it up when I’ve got 1/2 hour spare time. In passing, I noticed your remark about doing text replace in a .bat script.
    I use PHP for doing this sort of thing (any sort of text manipulation in local files). First make sure that something like E:\xampp\php is in your PATH variable (XAMPP install may do this for you; can’t remember). Then write a PHP script to do whatever you need (e.g. doit.php) – I’ve got a NetBeans project in C:\phpUts which contains all of my text manipulation scripts. Finally create a .bat or .cmd file which contains the single line
    @php C:\phpUts\doit.php %1 %2 …
    which passes the command line arguments to the script, which you access with $argv[1], $argv[2] etc. ($argv[0] contains the script name).
    Finally, place a call to this script in your .bat file. You’ve then got all of the power of PHP to do whatever text manipulation you like.

  60. richmond

    This is only for server cert right? How about client side? By accessing the server using its IP

  61. Pete

    For those having issues, I found you need to set the domain:port in httpd-vhost.conf,

    #Needed to be named??
    NameVirtualHost *:443

    DocumentRoot “C:/xampp/htdocs/domain.test”
    ServerName domain.test
    ServerAlias *.domain.test
    SSLEngine on
    SSLCertificateFile “C:/xampp/apache/crt/domain.test/server.crt”
    SSLCertificateKeyFile “C:/xampp/apache/crt/domain.test/server.key”

    Options Indexes FollowSymLinks Includes ExecCGI
    Order allow,deny
    Allow from all
    AllowOverride All
    Require all granted

    • Peter

      sorry thee tags got stripped in the post

      instead of
      VirtualHost *:443
      make it
      VirtualHost domain.test:443

  62. Jaro

    Hi everyone!!

    If im on localhost pc and type addr site.test i got valid cert!! But if im joining by PC IP ADDR i got NET::ERR_CERT_COMMON_NAME_INVALID 🙁 My alternatives:

    DNS.1 = site.test
    DNS.2 = 192.168.0.151
    DNS.3 = 192.168.0.151:443

    Any solution? On another PC in network i got error:
    net::err_cert_authority_invalid

  63. Stefan in Kattvik in Malmö

    Hallo Jaro, I had the same problem, and have now solved it. When you have an IP-address it is not allowed to have DNS.2 = …, instead write: IP1 = … And it is not allowed with portnumber for the DNS, so just skip that row in the code.

    • Jaro

      To: Stefan in Kattvik in Malmö

      I still can see my site.test only on localhost. When im trying connect from another device in network (typing to browser site.test), its not possible. 🙁
      Did you meet this problem?

      • Stefan in Kattvik in Malmö

        — Have you checked in the firewall:
        Allow an app or feature…
        that apache is added:
        c:\XAMPP\apache\bin\httpd.exe
        — And have you added the CA to the certificate store in the “another device”? I tested to remove my CA.crt from the store and got the message: err_cert_authority_invalid.

  64. Andreas (West of Munich))

    Hi David,

    Many thanks for your fine recipe to add SSL to the my localhost. Sticking to your description, it works fine for my local WordPress instance. I am exporting/importing forth and back the WordPress stuff from local to two “real” SSL protected sites (productive and quality assurance) – with your help the local development and testing (under SSL conditions for the deployment) does well.

    Best,

    Andreas

  65. Himasna Eshan

    do anyone no how install this certificate in android. In android device this is not trusted .

  66. Hiram

    Thanks it Works!! simple and easy, the best tutorial to enable SSL in XAMPP

  67. Sujoy Dhar

    Hi,
    Secure connection shown on the server only but if it is fetched from other system in same network it’s again shown unsecured. Please help

  68. James Butler

    I had this working back in June of 2020 and now for some reason the site.test is no longer secure. Did google chrome and other browser makers make a change to break this?

  69. Rusty

    To automatically rename the domain to the input you can call a powershell command to find and replace like this
    “`
    @echo off
    set /p domain=”Enter Domain: ”
    set OPENSSL_CONF=../conf/openssl.cnf

    if not exist .\%domain% mkdir .\%domain%

    powershell -Command “(gc ‘cert.conf’) -replace ‘\[DOMAIN\]’, ‘%domain%’ | Out-File ‘cert.conf’ -encoding utf8”

    ..\bin\openssl req -config cert.conf -new -sha256 -newkey rsa:2048 -nodes -keyout %domain%\server.key -x509 -days 365 -out %domain%\server.crt

    powershell -Command “(gc ‘cert.conf’) -replace ‘%domain%’, ‘[DOMAIN]’ | Out-File ‘cert.conf’ -encoding utf8”

    echo.
    echo —–
    echo The certificate was provided.
    echo.
    pause
    “`

  70. globdug

    Thank you! 🙂
    I had to edit some lines but it worked.
    I have a portable version of Xampp, in my case, in D:/xampp/7.3.21.
    To make it work I had to edit these lines:

    SSLCertificateFile “crt/site.test/server.crt”
    SSLCertificateKeyFile “crt/site.test/server.key”

    to the full path of certificate, in my case:

    SSLCertificateFile “D:/xampp/7.3.21/apache/crt/site.test/server.crt”
    SSLCertificateKeyFile “D:/xampp/7.3.21/apache/crt/site.test/server.key”

    By the way, I tried you don’t how many times to find a guide to achieve this result, and I never found this page. Now, after months and months, finally, you! THANK YOU!!! 😀

  71. Nick

    perfect ! the link to the make-cert.bat won’t work with current version with of xamp, some notes should be put to get to the updated

  72. Vasko

    Hi guys,
    i have a problem running my local domain with Xampp. I did everything , step by step and getting a following error:
    Access forbidden!
    You don’t have permission to access the requested directory. There is either no index document or the directory is read-protected.
    If you think this is a server error, please contact the webmaster.
    Error 403

  73. Web Guy

    Thanks a lot for this tutorial. It worked perfectly for me. However, I entered some details other than domain name when running the cert.bat file, without properly understanding instructions. So it did not work in the first few attempts.
    In Dec 2020 this results in a secure connection in Chrome, Edge and Opera browsers in Windows 10 64-bit. But the firefox shows an insecure connection.

    • Jim

      My firefox does as well. I’ll have to check it out but for development, I can use edge. I would rather use firefox developer but I agree, it doesn’t work there.

    • Jim

      Bring up about:config in Firefox.
      Enter Enterprise
      Change security.enterprise_roots.enabled to true.
      All fixed.

  74. Talha

    Thanks for sharing buddy, now i can use https on my local machine . high five

  75. Jim

    Wow! I have spent what seems to be YEARS trying to get SSL inside my VM VirtualBox. Your directions made it work!

    Thank you!

    One thing, I needed to add: cd %~dp0 after @echo off in the batch file to make it work.

  76. AS

    Thanks for this wonderful tutorial, was able to follow every step and it’s actually working but I am getting “not secured” on my browsers(Opera, Edge and Chrome).

    Any fix?

  77. Abdelwahed

    I replace {{DOMAIN}} with abko.local and its work.
    but I can’t connect to my database in I think it’s in the servername
    whats my servername, localhost not working

  78. anup Gupta

    Hi,

    Will You Please Tell Me Why they are indexing Issues in New Pages, My Last 10 pages are not index even if my website is 1 year old.

  79. Bier

    Hi David,
    Your tutorial rocks! Especially when applying it on a clean XAMPP install. Thank you so much! Keep up the good work. Bier

  80. Jose

    Any idea to get this working and installed on android device? Android does not trust the crt file and I cannot import it

  81. Aaron Stalter

    I followed some of the links on your Github page for the make-cert.bat file and found some code that replaces the {{DOMAIN}} text with the domain name you entered, creates a tmp .conf file with the updated text and then uses that to create the certificate. That way you don’t have to manually change the domain name in the cert.conf file every time you need a new cert for a different website. Here is the code:

    @echo off

    SETLOCAL EnableDelayedExpansion

    set /p domain=”Enter Domain: ”
    set OPENSSL_CONF=../conf/openssl.cnf
    set tmp_cert_conf=cert_%domain%.conf

    del %tmp_cert_conf%

    for /f “delims=” %%x in (cert.conf) do (
    set “string=%%x”
    set “modified=!string:{{DOMAIN}}=%domain%!”
    echo !modified!>>”%tmp_cert_conf%”
    )

    if not exist .\%domain% mkdir .\%domain%

    ..\bin\openssl req -config %tmp_cert_conf% -new -sha256 -newkey rsa:2048 -nodes -keyout %domain%\server.key -x509 -days 365 -out %domain%\server.crt

    del %tmp_cert_conf%

    echo.
    echo —–
    echo The certificate was provided.
    echo.
    pause

    For anyone that’s copying and pasting this, note that for this to work, you need to leave the {{DOMAIN}} text in the original cert.conf file just like it is originally.

  82. Marco Marsala

    @echo off
    set /p domain=”Enter Domain: ”
    call BatchSubstitute.bat {{DOMAIN}} %domain% cert.conf > cert.conf.tmp
    set OPENSSL_CONF=../conf/openssl.cnf

    if not exist .\%domain% mkdir .\%domain%

    ..\bin\openssl req -config cert.conf.tmp -new -sha256 -newkey rsa:2048 -nodes -keyout %domain%\server.key -x509 -days 3650 -out %domain%\server.crt
    del cert.conf.tmp

    echo.
    echo —–
    echo The certificate was provided.
    echo.
    pause

    BatchSubstitute.bat
    @echo off
    REM — Prepare the Command Processor —
    SETLOCAL ENABLEEXTENSIONS
    SETLOCAL DISABLEDELAYEDEXPANSION

    ::BatchSubstitude – parses a File line by line and replaces a substring”
    ::syntax: BatchSubstitude.bat OldStr NewStr File
    :: OldStr [in] – string to be replaced
    :: NewStr [in] – string to replace with
    :: File [in] – file to be parsed
    :$changed 20100115
    :$source https://www.dostips.com
    if “%~1″==”” findstr “^::” “%~f0″&GOTO:EOF
    for /f “tokens=1,* delims=]” %%A in (‘”type %3|find /n /v “””‘) do (
    set “line=%%B”
    if defined line (
    call set “line=echo.%%line:%~1=%~2%%”
    for /f “delims=” %%X in (‘”echo.”%%line%%””‘) do %%~X
    ) ELSE echo.
    )

  83. Pimp Devil

    SSL still will not pull up on outside networks, just the localhost, this is not helpful. I was wanting it to show up for the www, not just the hosting computer.

  84. Vikas

    How to enable https on local device in same network also get https it’s not working in mobile when I try to access xampp panel in mobile with https pls help me out

  85. Vikas

    How to enable https on local device in same network also get https it’s not working in mobile when I try to access xampp panel in mobile with https pls help me out.

  86. Alex

    Excellent tutorial, thanks so much. In my current XAMPP installation, the virtual host configuration goes into /xampp/apache/conf/extra/ the file httpd-vhosts.conf and not httpd-xampp.conf. Maybe this helps someone.

  87. Wojciech

    Trying and trying, but still insecure from other device in network. Is it possible to make site secure for another devices then localhost?? It would be very useful. Someone figure it out??

    • Chris

      If it works on localhost it should work on other computers, once you have imported the certificate into the browser certificate store on the computers concerned. If you don’t do that the browser will treat it as an untrusted certificate.

      • Wojciech

        Are you sure? I install certificate on other computers and site is still unsecure. It works only for localhost. And what about mobiles? How to install ceritificate for samsung browser?

        • Chris

          I’m not positive, I don’t do this sort of thing normally, but it didn’t work on my local browser without complaining until I imported the certificate into the browser. It might well have been working as a certificate but it complained every time I went to the site initially. Importing the certificate stopped the browser complaining.

    • Red

      Do you change the IP Address below to other ?
      Example localhost IP Address:
      127.0.0.1 site.test

      Example Public IP Address and it depend on your network IP Address:
      192.168.10.10 supersite.test

      To get your IP Address in local network just:
      1) Open command prompt and type “ipconfig”
      2) After that you can get your IP Address
      3) Change 127.0.0.1 to your IP Address that you got it on step 2

      Hope this info could help you.

  88. thehazzard

    Hi all,

    we are since this month using XAMPP on our windows servers.
    And we try to have an secure connection. So an SSL certificate is needed.

    We have several servers, all of them are joined to the domain.
    And the web application server what is having XAMPP installed, and running our application now needs to have an SSL certificate.

    In this case i want to try to follow your tutorial, but a lot of comments says it is not working.

    Your step4, with the domain, we want to use our FQDN for this one. But since the application is running htdocs/application and not direct in htdocs, do we need to add the /application as well or what? The servers having an static IP as well.

    • thehazzard

      That specific server is operating internally. Will not access the internet.

      I tried to install IIS on that server , and to use win-acme (letsEncrypt tool) to bind it. But when XAMPP is running IIS http port will not work in IIS. So am afraid that this option also will not wor.

      • Jim

        My question is, are you trying to operate on the web or just an internal test server?

        Internal servers don’t need SSL. External do.

        • thehazzard

          We are trying to operate offline. But since we will use the CMDB web application also on the clients it’s better it’s secure.

          It’s showing the hole time not secure, certificate error. And all clients (laptops, desktops) we disabled IE.

Comments are closed.