Configure SSL on XAMPP and windows


If you don’t have encryption enabled on a password protected folder, the password will be sent in cleartext – meaning that it can be seen by anyone using a network sniffer. It is a good idea to encrypt the transmission of these passwords. There are 2 steps to this process, first we need to create SSL certificates, and then we need to make sure that the password protected pages are only accessed with encryption. It’s also a good idea to import your certificates into any browsers on all machines that you plan to use to access your server, otherwise you’ll get a warning about an untrusted certificate authority.

Create SSL Certificate

In order to enable the encryption of your password, you must create an SSL certificiate (containing your public key) and a server private key. XAMPP provides a default certificate/key that can be used, but it is better to create a new one since the default key is available to anyone who downloads XAMPP. If someone knows your key, they can decrypt your packets.

XAMPP provides a batch file for creating a new certificate/key with random encryption keys. To execute this batch file, do the following:

  1. Open a command window (Start->Run, type “cmd” and press “OK)
  2. cd c:\xampp\apache
  3. makecert

You will then see this:

C:\xampp\apache>newcert
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
............................++++++
.....................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:

Enter in a pass phrase for decrypting your private server key, and press Enter. Write down this passphrase so you don’t forget it. Now you will be asked to verify it:

Verifying - Enter PEM pass phrase:

Enter your passphrase a second time and hit Enter. Now, you’ll see this:

-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:

Enter in your 2 letter country code. You’ll be asked for a few more items (shown below). Enter is what you think is most appropriate, but stop when you are asked for “Common Name”

State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Rob's Great Company
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:

For “Common Name”, you need to enter in the DNS name or IP address of your website. The name that you enter in here will need to match the server name that is entered into the browser that is accessing the page. It is important that this common name match the address that goes into a browser, otherwise you will get extra warnings when navigating to your secure web pages. If you are running this website over the public internet on an IP address that changes sometimes, you can use a Dynamic DNS service such as dyndns.org to get a free domain name that always points to your server. After you enter in the “Common Name”, you are asked for more information. Fill in what you think is appropriate, but it is OK to just hit ENTER to accept the defaults. Eventually, you will be asked for the pass phrase for privkey.pem:


Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Enter pass phrase for privkey.pem:

Enter the pass phrase that you created earlier, and now you will see this:


writing RSA key
Loading 'screen' into random state - done
Signature ok
subject=/C=xx/ST=xx/L=xxxx/O=xxx/CN=commonname
Getting Private key
—–
Das Zertifikat wurde erstellt.
The certificate was provided.
Press any key to continue . . .

C:\xampp\apache>

You are now finished creating your SSL certificate and private key. The makecert.bat script will move your server private key and certificates in the appropriate directories for you.

Import the certificate into the browser for each client

Since this certificate is self signed, and is not signed by a well known Certificate Authority (CA), when you browse to the protected pages you’ll get a warning. To turn off this warning, the certificate should be imported as a trusted CA into any browsers that you will use to access your server.

Importing the certificate into IE 7

Here are the steps to import the certificate into IE 7:

Tools->Internet Options
Content Tab->Certificates Button
Trusted Root Certification Authorities Tab->Import Button

Now you’ll see the “Certificate Import Wizard”
Click Next
Provide file name: c:\xampp\apache\conf\ssl.crt\server.crt
Click Next
Leave default to Place all Certificates in Certificate store: Trusted Root Certification Authorities, and click Next
Click Finish

Importing the certificate into Firefox 2:

Here are the steps to import the certificate into Firefox 2:

Tools->Options
Advanced->Encryption Tab->View Certificates Button
Authorities Tab->Import Button
Select file: c:\xampp\apache\conf\ssl.crt\server.crt, and click “Open”
Check “Trust this CA to identify web sites”
Click “OK’
Click “OK” in Certificate manager
Click “OK” In original Options window to get back into Firefox

Edit Apache config for encryption only access to password protected folders.

Now we will instruct Apache to access the password protected folders with SSL encryption exclusively. This is done in 2 steps. First, we setup the Apache config files for these folders to say they can only be accessed with SSL encryption. Next, we redirect any “http” traffic to these pages to “https” (this is optional).

Make folders accessible with SSL encryption only

First, we need to inform Apache that the folders you want to encrypt should use always use encryption (and never go in the clear). This is accomplished by putting an SSLRequireSSL directive inside of each desired <Directory> listing in the config files (it is ok to put it at the end, just before the </Directory>). The red text below shows what to do.

Alias /web_folder_name “C:/xampp/foldername

<Directory “C:/xampp/foldername“>

SSLRequireSSL

</Directory>

I suggest doing this for the following folders (if you still have them):

  • Config File: c:\xampp\apache\conf\extra\httpd-xampp.conf
    • c:\xampp\phpmyadmin
    • c:\xampp\htdocs\xampp
    • c:\xampp\webalizer
    • c:\xampp\security\htdocs
  • Config File: c:\xampp\webdav
    • c:\xampp\webdav

Redirect “http” to “https” for certain folders

This next optional step is to redirect “http” requests to “https” requests for the pages we want to secure. This is more user friendly and allows you to still use http when you type in the address (and automatically switch to https:// and encryption). If you don’t do this, and you used SSLRequireSSL, you will only be able to access these pages by typing https://. This is fine and probably a little bit more secure, but is not so user friendly. To accomplish the redirection, we will use mod_rewrite so that we don’t have to use the server name in this part of the config file. This helps keep small the number of places in the config files where the server name is written (making your config files more maintainable).

First, we need to make sure that mod_rewrite is enabled. To do this, edit c:\xampp\apache\conf\httpd.conf and get rid of the comment (# character) in this line:

#LoadModule rewrite_module modules/mod_rewrite.so

to make it look like this:

LoadModule rewrite_module modules/mod_rewrite.so

Now, paste the following text into the top of c:\xampp\apache\conf\extra\httpd-xampp.conf:

<IfModule mod_rewrite.c>

RewriteEngine On

# Redirect /xampp folder to https

RewriteCond %{HTTPS} !=on

RewriteCond %{REQUEST_URI} xampp

RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

# Redirect /phpMyAdmin folder to https

RewriteCond %{HTTPS} !=on

RewriteCond %{REQUEST_URI} phpmyadmin

RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

# Redirect /security folder to https

RewriteCond %{HTTPS} !=on

RewriteCond %{REQUEST_URI} security

RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

# Redirect /webalizer folder to https

RewriteCond %{HTTPS} !=on

RewriteCond %{REQUEST_URI} webalizer

RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

</IfModule>

If you have other folders you want to redirect to https://, add the generic text below (but substitute your folder name):

# Redirect /folder_name folder to https

RewriteCond %{HTTPS} !=on

RewriteCond %{REQUEST_URI} folder_name

RewriteRule ^(.*) https://%{SERVER_NAME}$1 [R,L]

That’s it! Isn’t it very simple, a 10 min job J

11 thoughts on “Configure SSL on XAMPP and windows

  1. Hi Jaswant, Thanks for the information. Your tutorial is so simple and easy that now things look to me just a click away. I appreciate your efforts for providing these information bytes in such a simple way to developer community. :)

  2. I would like to secure the site with a certificate but not have the certificate made available.
    I want it to be manually installed, make the site unavailable to the world.

    The concept being, some folders having admin tools, I want those to be SSL and require a private self-signed cert.
    I would provide the cert. only to the proper people, others won’t even see the page.

    There is something like this in IIS, I’m sure Apache has the equivalent, authorization by certificate?

    Thanks,

  3. Pingback: how to change http to https - SitePoint Forums

  4. Hello,
    I am trying to redirect “http” to “https”. I successfully followed the steps to create SSL Certificate as per this website:
    However, it seems that it didn’t work. I am still getting the following error messages:
    For IE browser:
    There is a problem with this website’s security certificate.
    The security certificate presented by this website was not issued by a trusted certificate authority.
    The security certificate presented by this website was issued for a different website’s address.

    For Firefox browser:
    This web site does not supply ownership information .

    Do I need to buy SSL Certificates?
    Appreciate your suggestions.

    Thanks.

  5. Hey there, I have a Joomla install with Xampp on a Windows machine and I’ve noticed a critical vulnerability with SSL 2.0 that is installed. Do you know of a way up update SSL to 3.0 without killing my install & configuration?

    Thanks.

  6. Simply do this
    1. First stop your Apache service
    2. Find libeay32.dll and ssleay32.dll in xampp\php\ folder, and copy it into xampp\apache\bin\ folder. Just overwrite the older files in there.
    3. Edit php.ini file in xampp\apache\bin, remove the semicolon in “;extension=php_openssl.dll”
    4. Start the Apache service

    for XAMPP 1.7….
    edit the php.ini by adding extension=php_openssl.dll on the ; Dynamic Extensions ; section

  7. I am so sorry but I don’t understand this part:
    Make folders accessible with SSL encryption only

    There are a lot of config files in there. Which file should I specifically change?

  8. I tried to follw the steps.But Iam no able to enter the PEM pass phrase.It is not taking my input to the screen.Please help.

    Thanks in advance

  9. Pingback: XAMPP and SSL - https://localhost on browser - insecure certificate | BlogoSfera

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s