How to Create Valid SSL in localhost for XAMPP

Chrome browser updates has become a burden for local development. Not only they decided to disable .dev domain for local development, they also really have specific configuration in SSL Cert to show the site as secure.

In this step by step tutorial I will try to explain  the walk-through to create SSL cert locally to be used in XAMPP in Windows.

In my XAMPP install I basically  have a clone to all the site that I managed.  And All of them (of course) use SSL/HTTPS.

Here’s the step by  step guide:

In this step we are going to crate SSL and setup “site.test” website.

1. Navigate to Apache directory in XAMPP.

In regular install it’s in C:\xampp\apache.

2. Create a folder in that page.

This is where we will store our cert. In this example I will create “crt” folder. So we will have C:\xampp\apache\crt

3. Add this files.

4. Edit cert.conf and Run make-cert.bat

Change {{DOMAIN}} text using the domain we want to use, in this case site.test and save.

Double click the make-cert.bat and input the domain site.test when prompted. And just do enter in other question since we already set the default from cert.conf.

Note: I don’t know how to do text replace in .bat script, if you do, let me know in the comment how to do it and I will update make-cert.bat to automatically replace the {{DOMAIN}} with the domain input.

5. Install the cert in windows.

After that, you will see site.test folder created. In that folder we will have server.crt and server.key. This is our SSL certificate.

Double click on the server.crt to install it on Windows so Windows can trust it.

And then select Local Machine as Store Location.

And then Select “Place all certificate in the following store” and click browse and select Trusted Root Certification Authorities.

Click Next and Finish.

And now this cert is installed and trusted in Windows. Next is how how to use this cert in XAMPP.

6. Add the site in Windows hosts

  1. Open notepad as administrator.
  2. Edit C:\Windows\System32\drivers\etc\hosts (the file have no ext)
  3. Add this in a new line:
127.0.0.1 site.test

This will tell windows to load XAMPP when we visit http://site.test You can try and it will show XAMPP dashboard page.

7. Add the site in XAMPP conf.

We need to enable SSL for this domain and let XAMPP know where we store the SSL Cert. So we need to edit C:\xampp\apache\conf\extra\httpd-xampp.conf

And add this code at the bottom:

## site.test
 <VirtualHost *:80>
     DocumentRoot "C:/xampp/htdocs"
     ServerName site.test
     ServerAlias *.site.test
 </VirtualHost>
 <VirtualHost *:443>
     DocumentRoot "C:/xampp/htdocs"
     ServerName site.test
     ServerAlias *.site.test
     SSLEngine on
     SSLCertificateFile "crt/site.test/server.crt"
     SSLCertificateKeyFile "crt/site.test/server.key"
 </VirtualHost>

After that, you will need to restart Apache in XAMPP.  It’s very simple, simply open XAMPP Control Panel and Stop and re-Start Apache Module.

Tips: In XAMPP conf, as you can see you can change the domain root directory if needed. Eg. as sub-dir in htdocs.

8. Restart your browser and Done!

This is required to load the certificate. And visit the domain on your browser, and you will see green lock!

I hope this tutorial is useful!

If you already use other method, let me know in the comment 🙂

117 Comments

  1. Wolverine

    In step 7,

    1- I paste the code in httpd-xampp.conf
    2- then I stop the xampp (Apache)
    3- Then I start it (in this part the Apache does not work)

    now if I remove the code, the apache if it works but if I paste it again it stops working

    Is there anything else to do in this part?

    Thank you

    Reply
    • Hakim Douib

      i have the same problem and my selotion was that i need to fix the path to the ctr and key . becouse whane you change the site.site to your domain for me was localhost i forget to change it in script
      SSLCertificateFile “crt/localhost/server.crt”
      SSLCertificateKeyFile “crt/localhost/server.key”

      Reply
      • Ian

        That is correct. Google bought the .dev registry from ICANN Dec 2017 for their own internal use and closed down any external use of it.
        The alternatives are to use an undisputed TLD. .test .example and .localhost are all protected by ICANN, so one of those is the best option.

        We’re all in the same boat here.

        Reply
        • Drachsi

          Thank you very much. No wonder I was having problems, nobody but you mention that.
          Regards
          Drachsi

          Reply
  2. Yvon

    i Followed instructions, but my appach does not start anymore.
    it displayed
    11:04:24 [Apache] Status change detected: running
    11:04:25 [Apache] Status change detected: stopped
    11:04:25 [Apache] Error: Apache shutdown unexpectedly.
    11:04:25 [Apache] This may be due to a blocked port, missing dependencies,
    11:04:25 [Apache] improper privileges, a crash, or a shutdown by another method.
    11:04:25 [Apache] Press the Logs button to view error logs and check
    11:04:25 [Apache] the Windows Event Viewer for more clues
    11:04:25 [Apache] If you need more help, copy and post this
    11:04:25 [Apache] entire log window on the forums

    how can i fix it?

    Reply
  3. Ian

    Apache is missing dependencies possibly caused by trying to start before the certificate has been created
    Apache cannot find the path
    Access was denied.

    Was the SSl saved – check the directory. Is it there, is the path correct?
    If you rerun it, delete the previous directory.

    Hosts file – must be edited with elevated priviledges and save as host – not host .txt or any other extension.
    In the conf file, ensure the first module is port 80 and the second module is port 443. you still need port 80 to be there even though you are using SSL

    Do you have a .htaccess file in your root, it may be denying you. Add an Allow directive to both modules

    DocumentRoot “C:\xampp\htdocs\example.test”
    ServerName testsite.test

    Order allow,deny
    Allow from all

    DocumentRoot “C:\xampp\htdocs\example.test”
    ServerName example.test
    SSLEngine On
    SSLCertificateFile “C:/xampp/apache/crt/example.test/server.crt”
    SSLCertificateKeyFile “C:/xampp/apache/crt/example.test/server.key”

    Order allow,deny
    Allow from all

    Reply
  4. Ian

    Getting the not secure message but are you getting the green padlock? If it’s red you may have not completed a step.
    If it’s green It could be something as simple as cache needing a deep clean.
    What are you putting in the address bar and what is being returned.
    Are you calling for localhost/mysite.test where you should be requesting mysite.test.
    Try qualifying the url with the protocol by prefixing https://

    Reply
  5. Felix

    Hi man, thanks for the tutorial! I followed all the steps (twice), using .test domains but I still get the non secure screen with this error NET::ERR_CERT_COMMON_NAME_INVALID.

    I think is weird because I’m sure that in the CERT COMMON NAME I entered the domain I was cofiguring… for test purposes: secure.test.

    If anyone have this problem and has any suggestion…

    Thanks!

    Reply
  6. Felix

    Nevermind… I just replaced just one {{DOMAIN}} in the conf file and there was two. Working perfect! Thanks!

    Reply
    • Neovorg

      Nice, I was also getting the same errors as you and found out that yep: there aer two {{DOMAIN}} in the conf file, edited both of them and voila, it worked!

      Reply
      • Leo

        I got no successful result until I found second {{DOMAIN}} by your post!
        It is working well now 😀

        Reply
  7. Gunther Jerschabek

    Hi, thank you very much for this brilliant tutorial. Works perfectly in Chrome Version 68.0.3440.106, IE 10 and Opera 54.0 .
    – Didn’t seen the second {{DOMAIN}} to replace at the very end of cert.conf.
    – Was required to clear browser caches.
    -After ‘Unsecure connection’ warning needed some time to find my forgotten point at the end of URL: NOT site.test BUT site.test.
    This works perfectly for me: https://site.test.

    Reply
  8. Stacy

    Thanks , this worked for me. The only thing you need to do is instead of editing
    C:\xampp\apache\conf\extra\httpd-xampp.conf
    We need to add test domain in
    C:\xampp\apache\conf\extra\httpd-vhosts.conf

    Reply
  9. Cyber Valdez

    If you’re having this problem when using file_get_contents or curl:
    “file_get_contents(): SSL operation failed with code 1.”

    Make sure to comment out the following line in php.ini
    openssl.cafile=”C:\xampp\apache\bin\curl-ca-bundle.crt”
    to:
    ; openssl.cafile=”C:\xampp\apache\bin\curl-ca-bundle.crt”

    This makes it so it will use the OS managed certificates.

    Reply
  10. Jeff Matumi

    Hay your plugins are great but mostly outdated. please refresh your plugins on wordpress.org 😉 thanks.

    Reply
  11. Roy

    Hi,tried allsorts certificate wrong signing xampp won’t run.please help i need localhost to work for developing my daughters website.
    It did work last week all changed when windows 10 updated.
    My address is localhost/waggybum/index.php
    certificates stored where you said. I used localhost/waggybum for them ?? it would be great if you can help also the virtual files done.
    Best regards Roy

    Reply
    • David

      I’m not 100% sure, but SSL cert is only for top level domain (?)
      So maybe need to create ServerName on your xampp (part #7)

      I hope this helps!
      have fun debugging 🙂

      Reply
  12. Ian

    Roy,
    from the way I read your problem, you are trying to call your website using a file path (localhost/waggybum/index.php) when you should be calling a url (example.test).

    You need to define waggybum.test in Hosts file (127.0.0.1 waggybum.test) or (localhost waggybum.test) as in Section 6.

    Follow the instruction replacing site.test with waggybum.test.

    Reply
    • roy

      Hi thx for your help i created certificate from your website
      I tried downloading firefox 3.6 very old one but still would not work with localhost i also took updates off windows 10 to nothing would work yet 2 weeks ago everything was working well

      Reply
  13. roy

    hi did this renamed the directory where my php programs are to waggybum.test.
    in windows host 127.0.0.1 waggybum.test
    ## site.test

    DocumentRoot “C:/xampp/htdocs/waggybum.test”
    ServerName waggybum.test
    ServerAlias *.waggybum.test

    DocumentRoot “C:/xampp/htdocs/waggybum.test”
    ServerName waggybum.test
    ServerAlias *.waggybum.test
    SSLEngine on
    SSLCertificateFile “c:/xampp/apache/crt/waggybum.test/server.crt”
    SSLCertificateKeyFile “c:/xampp/apache/crt/waggybum.test/server.key”

    Now says can’t find site

    Reply
  14. Ian

    uninstalling updates may not be enough.
    If you have restore enabled, try restoring to 2 weeks previous.

    Win 10 update may have changed something.
    Is xampp actually working?

    Reply
  15. roy

    ignore last comment forgot to take # off 127.0.0.1

    But now waggybum.test uses an invalid security certificate.

    Reply
  16. Ian

    Did you forget the ports? Virtualhost file should look like this..

    ###### DomainName.test #######

    DocumentRoot “C:\xampp\htdocs\DomainName.test”
    ServerName DomainName.test

    Order allow,deny
    Allow from all

    DocumentRoot “C:\xampp\htdocs\DomainName.test”
    ServerName DomainName.test
    SSLEngine On
    SSLCertificateFile “C:/xampp/apache/crt/DomainName.test/server.crt”
    SSLCertificateKeyFile “C:/xampp/apache/crt/DomainName.test/server.key”

    Order allow,deny
    Allow from all

    Reply
  17. Ian

    Cut/paste is n’t working very well. What I was trying to show was VirtualHost DomainName.test:80 on the first section and VirtualHost DomainName.test:443 on the second.

    Reply
    • Ian

      2: You don’t want http, you only need https (s = secure) The web is moving to greater security. Forget http.

      1: Be aware that XAMPP is a development environment and should not be used for production as it is not secure enough, (if that’s what you are trying to do).
      As far as I am aware, these instructions are for a single computer setup, not for setting up a LAN.

      Reply
      • Sixten Kangas Gustafsson

        2: i want if u go in http u redirect to https.

        1. okey, it is not for lan, it is for public website not sure why it only works on lan https, block or something for the public not sure how to change that.

        Reply
        • Ian

          Sixten, the instruction written by David are to allow you to have a fully functioning DEVELOPMENT environment. Nothing more.

          If you are are trying to move your production site from http to https then I suggest you contact your host to set up an SSL for you. Typical cost is $60 but your host may provide free SSL such as https://letsencrypt.org/

          You will probably need to change your .htaccess file too.
          You can get a ton of help and information at https://www.webmasterworld.com/home.htm

          Reply
  18. roy

    This is just to develope my website on local laptop using xampp used to work great 2 weeks ago my real site is with 123reg and is ssl at present waggybum.co.uk as an index page which you can click on to etsy till i write the site as a shopping cart.most of it is done till this happened.

    OK in windows i set 127.0.0.1 waggybum.test
    in certificate creation i put waggybum.test
    on my localsite i changed php files directory from waggybum to waggybum.test
    these are my virtual host settings

    ## site.test

    DocumentRoot “C:/xampp/htdocs/waggybum.test”
    ServerName waggybum.test
    ServerAlias *.waggybum.test

    DocumentRoot “C:/xampp/htdocs/waggybum.test”
    ServerName waggybum.test
    ServerAlias *.waggybum.test
    SSLEngine on
    SSLCertificateFile “c:/xampp/apache/crt/waggybum.test/server.crt”
    SSLCertificateKeyFile “c:/xampp/apache/crt/waggybum.test/server.key”

    Reply
    • Ian

      it should work if you have gone through the whole procedure. Don’t forget every time you generate a new certificate you also need to re-install it.

      Reply
    • Ian

      how are you trying to access site.test??
      if you are trying to click on the file from windows explorer, you will get file:///C:/xampp/htdocs/site.test which bypasses the web server completely and is not what you want.

      if you followed the instructions correctly you should be able to just enter site.test or https://site.test in the browser.

      Reply
  19. mir

    Two computer are in Same wifi zone.
    one computer has XAMPP Server.
    it is perfectly working from the same computer where the server is installed.
    but I am trying to access the site from other computer which is in the same lan or wifi zone.
    From other computer, all the sites are accessible from the ip address(Server computer). like http:\\192.167.0.52\sitename\
    i want to access from other computer using https:\\site.test\sitename\
    kindly help

    Reply
    • Ian

      localhost and 127.0.0.1 are port loopbacks on a single machine.
      to access from a different machine you will need to use the xampp machines ip address or computer name.

      get your xampp machine name (ie. my-computer)

      from your other machines browser you will need to use
      https:// my-computer/rest of the path

      Reply
  20. mir

    hi,
    sorry to late reply.
    all the functionality of the web app is working fine using
    https:// my-computer/rest form other computer but in the left corner of address bar its displaying that your connection is not secure.
    but in xampp computer, when i use the url(https://site.test/rest) then it works and displays “connection is secure”.
    How can I make the connection secure from other computer?

    Reply
  21. Drachsi

    Hi,

    I think I have done everything as shown, but when I go to https://name.test I see error message “Your connection is not secure”

    localhost/name/ and shows the basic WP Theme
    localhost/name/wp-admin/ lets be do admin ok.
    name.test loads but then turns into name.test/dashboard

    How can I identify the problem?
    Thanks to everybody that post their ideas and problems, helped me get this far. I am in my late 70’s, things just take longer.
    Regards
    Drachsi

    Reply
    • Drachsi

      I had hoped somebody could have helped me with an answer to my question. Is it so difficult?
      Regards
      Drachsi

      Reply
      • Ian

        Hi Drachsi,
        I’m not a WordPress person ( I roll my own CMS) but it looks like your index.php has a default link to dashboard.

        Look in your index.php for a link with /dashboard in it, comment it out and see if that works.

        Reply
        • Drachsi

          Hi,

          I am trying hard.
          I checked index.php in the main site.test directory, only loads the Theme and wp-blog-header.php

          Then checked in wp-admin and have this index.php

          —-
          code removed by admin. please use github gist/pastebin or other way to display code.
          —-

          https://site.test shows message " Your connection is not secure" clicked on the "advanced" link and message is

          "The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT"

          Hope you can help.
          Regards
          Drachsi

          Reply
    • Ian

      Jerome, if you have only changed your http port from 80 to 7070 because of conflict, it shouldn’t matter.
      Just change ALL references of 80 to 7070, likewise if you have changed the https port number.

      Reply
  22. Drachsi

    I have tried everything, but still get the message
    “The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT”

    What did I do wrong? I am using Firefox.
    Regards
    Drachsi

    Reply
    • Ian

      I don’t use FF for actual dev work, only for reviewing so I am just suggesting what you might try.
      You need to add a security exception to Firefox browser.
      I just tried this on one of my test sites and it works perfectly.

      This is what I did:

      Go to Tools > Options > Privacy & Security > Certificates
      Click on View Certificates
      In the Certificate Manager select Servers then Add Exception.
      In the Location field add example.test after the https://
      Click Get Certificate
      Check Permanently store this exception
      then Confirm Security Exception
      Click Ok to exit.

      Reply
    • Ian

      you are looking at the wrong file. What you are looking at is apaches default. Forget that file.

      You need to follow Davids script exactly.

      The files you need are in step 3. Also look at Adrian Suters solution in the comments.

      Reply
  23. Sudhakar

    Thank you so much for an excellent Tutorial David. After three days of struggle with security certificates and related processes, I found your tutorial and it worked like a charm. I used the model with independently installed Apache server (without XAMPP) on Windows Server 2016.

    Reply
  24. Dario

    I have tried to generate a certificate with a “*” wildcard for ALL subdomains of localhost, but is not working. I have tried:
    [alternate_names]
    DNS.1 = *.localhost
    DNS.2 = myapp.localhost
    DNS.3 = localhost

    In this case is working for myapp.localhost but not for anotherapp.localhost
    ¿this can be made? If it can be made… ¿what can be wrong?

    My Apache VirtualHost configuration is as follows (the same for anotherapp.localhost but with another DocumentRoot & Directory):

    DocumentRoot “E:\workspace\myapp\public”
    ServerName myapp.localhost
    ServerAlias localhost (I have tried with *.localhost also)
    SSLEngine on
    SSLCertificateFile “E:\crt\localhost\server.crt”
    SSLCertificateKeyFile “E:\crt\localhost\server.key”
    SSLOptions +StdEnvVars

    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Require all granted

    Thanks in advance!

    Reply
  25. Edwin

    I couldn’t get any of the above to work. I had to do the following corrections then it worked perfectly.

    When you replace both instances of {{DOMAIN}} *do not* leave the brackets. The word and brackets should be replaced with your virtual domain name.

    e.g. “{{DOMAIN}}” becomes “mysite.local”.

    Personally I think it would be clearer without the brackets but perhaps they’re there for a reason.

    If you are converting an existing virtual domain to a secure virtual domain it is also *imperative* to delete the cookies for that domain. You can do this by right clicking on the favicon in the Chrome browser address bar and selecting “cookies”.

    In my case after doing the above it worked.

    You can check if your self signed certificate looks correct by viewing it in certmgr.msc on Windows. That’s how I found out I had brackets in my naming where the other certificates did not.

    Finally I had a problem with PHP not recognising my certificate. If this happens for you, you can fix it by opening php.ini and searching for and commenting out the line that begins with ‘openssl.cafile’. If you read the comments above that line it will recommend you comment it out anyway as PHP will then read your OS certificates which is what you actually want.

    Great tutorial and the only one that got it all working for me.

    Reply
  26. Darius

    You missed spelled the word create.
    For your reference: In this step we are going to crate SSL and setup “site.test” website.

    Reply
  27. Andy

    Great tutorial and worked the first time for me. Entering https://site.test/ now in the browser shows the Xampp splash screen.

    Where do I now put my local development website on the computer? Before I added the ssl under http, it used to be in the directory c:\Xampp\htdocs\{mywebsite}. Do I still use the same location?

    Reply
    • Ian

      Yes, the site is in the same place. The only thing changing is the protocol.

      Might I suggest that you did not get it to work first time when you returned the splash screen for xampp. You will get that just by typing localhost into the browser.

      Add your site to c:\Xampp\htdocs\{mywebsite} and retest.

      Reply
  28. Andy

    Ok, my https development site works now, except that the certificate is not valid and I get a red “Not Secure”. I created the certificate as per instructions above for site.test. My website is located in the directory C:\xampp\htdocs\mycbc and I am starting the website with the command /localhost/mycbc/.
    The error message says that the certificate is for site.test and is not valid for the development site I am opening.
    Any suggestions on how to make the certificate valid for my development site?

    Reply
    • Ian

      Andy, I think you may have misunderstood the instructions.

      David used site.test in his instructions only as an example. You need to replace any/all reference to site.test with your own sitename.

      Redo using mycbc.test throughout the script.

      Start the website with mycbc.test or https://mycbc.test

      Good luck

      Reply
  29. Andy

    Interesting, I believe that I followed all the steps correctly, yet:

    When I enter https://localhost/mycbc/, the local website loads, but with a warning that the site is insecure.

    When I enter https://mycbc.test, the local website does not load (instead the default Xampp screen pops up) and a warning that the site is insecure.

    Reply
  30. Stefan

    Hey man, on my Google Chrome it shows it as a secure site (https’s okay), on firefox it doesn’t. When my friend’s trying to connect to it on either chrome/firefox it shows my site as insecure..Do you have any ways of fixing this?
    Thanks in advance!

    Reply
  31. Dan

    3 Things I had to do to get it to work (maybe an update is needed?):
    1.) {{DOMAIN}} got me like others… (as this is a programming construct), REMOVE THE BRACKETS NOT JUST THE WORD DOMAIN LIKE I DID!
    2.) openssl location: I had to change the path in the bat to ..\apache\bin\openssl
    3.) Virtual Host: Had to use the httpd-vhost.conf file instead of the httpd-xampp.conf file the instructions indicate in step 7.
    Nevertheless, thank you for your instructions! Very helpful.

    Reply
  32. Tony

    First I want to say thanks for putting this together. I had a few issues with getting this to work, then I just read the replies and found my answer. Now I just have to get the redirect from http to https to work without having to type in https whenever I want to view my local page development in a secure connection mode.

    Reply
  33. Joshy

    I tried everything it didn’t work, someone help me please. I’m working on a school project right now.

    Reply
  34. Ian

    You’re not being very specific Joshy.
    Did you follow the script exactly?
    What are you putting in the browser?
    What errors are you getting back?

    Reply
    • Robson

      I have just changed the location of openssl since I am not using XAMPP. I am using WAMP 3.1.0 instead.

      Reply
    • Chris Hailey

      Hi,
      I’ve spent hours on this without success.
      Can someone who has got it working post the relevant sections form the critical files? I think that means httpd-vhosts.conf at least & possibly anything else modified. I assume from the comments that httpd-xampp.conf is not actually modified; the changes are to do with virtual hosts.
      My problems are in getting https:// access working, my insecure http:// links work fine, so my basic xampp configuration is working.

      Reply
      • Supermavster

        Hello,

        I want to suggest my software in this publication, you just have to write the domain and the location of your project, after that, everything is automatic.

        Reply
        • Chris

          Hi Supermavster,
          I did visit your site yesterday, but I only speak English & even with the help of Google Translate I was unable to get your downloads.

          Reply
      • Chris

        I eventually got vhosts working, so I append some notes in the hope that they might help others…

        The following notes apply to a 64-bit Windows 10 Home Edition, build 1810, running xampp-win32-7.3.0-0-VC15. These notes detail what I did to get the secure virtual hosts working, having previously configured xampp to work on the laptop.

        The make-cert.bat & cert.conf files work as intended, although I modified my cert.conf to offer several defaults to suit my circumstances. As mentioned by several people, the {{DOMAIN}} marker must to be replaced by your actual virtual domain (eg, oak.test).

        The certificate installation process is straightforward enough, but if you have to repeat it for a virtual site then I would first delete the previously created server.crt & server.key files manually.

        The modifications to the hosts file are straightforward, but in Win 10 at least I found that actually saving the file requires that you open in editor in administrator mode even if you are logged in as an administrator user.

        I did not modify the httpd-xampp.conf file as recommended; as stated by several people, I think the information is best provided in the httpd-vhosts.conf file. My additions to that file are given below:
        #——————–
        NameVirtualHost *:80

        ServerAdmin oakAdmin@gmail.com
        ServerName oak.test
        Redirect / https://oak.test/
        ErrorLog “logs/oak-test-error.log”
        CustomLog “logs/oak-test-access.log” common

        ServerAdmin oakAdmin@gmail.com
        ServerName oak.test
        DocumentRoot “D:\dataOak\web”
        SSLEngine on
        SSLCertificateFile “C:/xampp/apache/certs/oak.test/server.crt”
        SSLCertificateKeyFile “C:/xampp/apache/certs/oak.test/server.key”
        ErrorLog “logs/oak-testSSL-error.log”
        CustomLog “logs/oak-testSSL-access.log” common

        ## I’d like to use either localhost and/or oak.test, but it’s one or the other so far 🙁

        ##NameVirtualHost oak.test:80
        #
        # ServerAdmin oakAdmin@gmail.com
        # DocumentRoot “D:/dataOak/web”
        # ServerName localhost
        # SSLEngine on
        # SSLCertificateFile “C:/xampp/apache/certs/localhost/server.crt”
        # SSLCertificateKeyFile “C:/xampp/apache/certs/localhost/server.key”
        # ErrorLog “logs/localhostSSL-error.log”
        # CustomLog “logs/localhostSSL-access.log” common
        #
        #——————–

        There are several points to note regarding the vhosts settings above.
        1. In the end I provided certificate full paths in preference to relative paths
        2. Several people suggesting adding ALLOW directives, but I had lots of problems with them, typically the apache server wouldn’t even start. Eventually I removed them all & my installation works as required.
        3. I’d still like to have secure localhost & oak.test vhosts, but in all my testing I only managed to get one or the other working, never both, so I must be doing something wrong.
        4. My vhosts are configured to force secure connections, it’s what I want.

        One general point.
        5. During testing I often thought the set-up was working, but it didn’t survive a reboot, so I did a lot of reboots in the end 🙂 I also think some set-ups didn’t work until after a reboot. In other words, I suspect that stopping/starting the apache server isn’t always sufficient after you have made configuration changes. This behaviour is very frustrating & may partly explain why I had so much difficulty in getting a working configuration.

        Reply
  35. Chris

    I finally got a working configuration, so for the benefit of others still trying:

    The notes apply to a 64-bit Windows 10 Home Edition, build 1810, running xampp-win32-7.3.0-0-VC15. The following notes detail what I did to get the secure virtual hosts working, having previously configured xampp to work on the laptop.

    The make-cert.bat & cert.conf files work as intended, although I modified my cert.conf to offer several defaults to suit my circumstances. As mentioned by several people, the {{DOMAIN}} marker must to be replaced by your actual virtual domain (eg, oak.test).

    The certificate installation process is straightforward enough, but if you have to repeat it for a virtual site then I would first delete the previously created server.crt & server.key files manually.

    The modifications to the hosts file are straightforward, but in Win 10 at least I found that actually saving the file requires that you open in editor in administrator mode even if you are logged in as an administrator user.

    I did not modify the httpd-xampp.conf file as recommended; as stated by several people, I think the information is best provided in the httpd-vhosts.conf file. I provide the additions to the file as a separate post.

    During testing I often thought the set-up was working, but it didn’t survive a reboot, so I did a lot of reboots in the end 🙂 I also think some set-ups didn’t work until after a reboot. In other words, I suspect that stopping/starting the apache server isn’t always sufficient after you have made configuration changes. This behaviour is very frustrating & may partly explain why I had so much difficulty in getting a working configuration.

    Reply
  36. Chris

    My additions to the httpd-vhosts.conf file, as promised:
    #——————–
    NameVirtualHost *:80

    ServerAdmin oakAdmin@gmail.com
    ServerName oak.test
    Redirect / https://oak.test/
    ErrorLog “logs/oak-test-error.log”
    CustomLog “logs/oak-test-access.log” common

    ServerAdmin oakAdmin@gmail.com
    ServerName oak.test
    DocumentRoot “D:\dataOak\web”
    SSLEngine on
    SSLCertificateFile “C:/xampp/apache/certs/oak.test/server.crt”
    SSLCertificateKeyFile “C:/xampp/apache/certs/oak.test/server.key”
    ErrorLog “logs/oak-testSSL-error.log”
    CustomLog “logs/oak-testSSL-access.log” common

    ## I’d like to use either localhost and/or oak.test, but it’s one or the other so far 🙁

    ##NameVirtualHost oak.test:80
    #
    # ServerAdmin oakAdmin@gmail.com
    # DocumentRoot “D:/dataOak/web”
    # ServerName localhost
    # SSLEngine on
    # SSLCertificateFile “C:/xampp/apache/certs/localhost/server.crt”
    # SSLCertificateKeyFile “C:/xampp/apache/certs/localhost/server.key”
    # ErrorLog “logs/localhostSSL-error.log”
    # CustomLog “logs/localhostSSL-access.log” common
    #
    #——————–

    There are several points to note regarding the vhosts settings above.
    1. In the end I provided certificate full paths in preference to relative paths
    2. Several people suggesting adding ALLOW directives, but I had lots of probelms with them, typically the apache server wouldn’t even start. eventually I removed them all & my installation works as required.
    3. I’d still like to have secure localhost & oak.test vhosts, but in all my testing I only managed to get one or the other working, never both, so I must be doing something wrong.
    4. My vhosts are configured to force secure connections, it’s what I want.

    Reply
  37. Chris

    Well, I’ve tried posting the additions to the vhosts several times but all the posts were blocked. No indication of why so I’m giving up now.

    Reply
  38. Lukas

    Hello, thanks for this tutorial.
    It works in Chrome or Opera but the problem is with FF.
    Even if i add exception in FF Certifications settings, the padlock is not green – just orange with information about not secure connection. Site work but it is incomplete solution.
    Do you know what I can do about it?

    Reply
  39. LeonM

    As others have noted this solution works fine for Chrome and Opera, but not completely for Firefox (it will work if you add a security exception, but shows a yellow warning icon instead of a green padlock).

    I believe the fix is to add a PEM, but I’m not sure how to do that for multiple domains with subdomains.

    My setup is typically like this (many projects):
    # Project 1
    example.test
    http://www.example.test
    es.example.test
    fr.example.test

    # Project 2
    example-two.test
    http://www.example-two.test
    es.example-two.test
    fr.example-two.test

    If anyone knows how to add a PEM for this scenario please post a gist.

    Reply
  40. amar

    Works well for me, on Windows 10 Pro 1809 (OS Build 17763.316); Using xampp 7.3.2 / PHP 7.3.2

    Reply
  41. Alcides

    In case it’s worth it step 7 pasted in httpd-vhosts.conf instead httpd-xampp.conf work for me. Thank a lot, very useful post.

    Reply
  42. Bronwyn

    Worked without any issues. This is something I had been struggling with for a while, thank you!

    Reply
  43. likhith

    Hello,
    I followed the same steps, but after complication of make-cert. The folder site.test is created, but inside site.test folder instead of server.crt only server file is created. Can anyone please help me

    Reply
  44. likhith

    Hello,
    I followed the same steps, but after complication of make-cert. The folder site.test is created, but inside site.test folder instead of server.crt only server file is created. Can anyone please help me to solve this

    Reply
  45. Leo

    I got no successful result until I found second {{DOMAIN}} by your post!
    It is working well now 😀

    Reply
  46. Dennis

    Great tutorial but I struggled for a few hours to get this to work.

    If the above info does not work for you, you might want to try this one?

    In the post the settings are:

    DocumentRoot “E:/xampp/htdocs”
    ServerName test.local
    ServerAlias *.test.local

    DocumentRoot “E:/xampp/htdocs”
    ServerName test.local
    ServerAlias *.test.local
    SSLEngine on
    SSLCertificateFile “crt/to.local/server.crt”
    SSLCertificateKeyFile “crt/test.local/server.key”

    When I used the above code, I was taken to the xampp dashboard when visiting my site but adding my domain to DocumentRoot I was able to access my site.

    You might have to add your domain into the DocumentRoot as follows:

    DocumentRoot “E:/xampp/htdocs/test.local”
    ServerName test.local
    ServerAlias *.test.local

    DocumentRoot “E:/xampp/htdocs/test.local”
    ServerName test.local
    ServerAlias *.test.local
    SSLEngine on
    SSLCertificateFile “crt/to.local/server.crt”
    SSLCertificateKeyFile “crt/test.local/server.key”

    As I have the latest xampp (when this is written, XAMPP for Windows 7.3.4) I got 500 error when accessing the https://localhost/dashboard/ after adding the code into both these files

    C:\xampp\apache\conf\extra\httpd-xampp.conf
    We need to add test domain in
    C:\xampp\apache\conf\extra\httpd-vhosts.conf

    I added into:
    E\xampp\apache\conf\extra\httpd.conf
    and got my xampp dashboard back.

    Also, on line 10 in the “make cert”, you might want to extend your cert up to 10 years by changing the days from 365 to 3652, or you might have to run this process again in one year!

    Thanks for this great tutorial.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.