Setup HTTPS in XAMPP

Notes: This page seems to be getting quite a few hits on this site. Note that while it the instructions are written for ADAM’s purposes, that they will give you a general outline for getting HTTPS to work over XAMPP. This guide has been written for XAMPP 1.7.2. This is not the latest version of XAMPP.

Using an external Certification Authority

This section assumes that you are going to use an external Certification Authority. If you would rather use your domain server, there are separate instructions below.

Create a private key and certificate signing request

Within the \xampp\apache\ folder is a batch file called makecert.bat. Run this file and enter the following information which will appear in your certificate. Note that you cannot change it after this, so please enter it properly!

  1. Provide a new pass phrase for your key. You will need to remember this if anything goes wrong with your certificate or you need to reinstall. Put it somewhere safe
  2. Verify the pass phrase by retyping it
  3. Enter a country code. This will typically be ZA
  4. Enter a province name. This will typically be something like Gauteng or KwaZulu-Natal
  5. Enter your city name. This can be anything, such as Midrand or Franschhoek
  6. Enter your full school name. This might be something like Midvale School
  7. You can leave the Organizational unit blank if you like. However, if you have multiple schools (and hence installtions of ADAM) within a single school entity, you might want to put something like Girls College or Preparatory School here
  8. The common name is notyour name as suggested, but rather the common name of the website you are securing (the utility that is generating the certificate can also generate personal certificates, hence this prompt). This is likely to be something like adam.midvale.co.za
  9. Enter in a general contact e-mail address here, typically something like info@midvale.co.za
  10. You can leave the challenge password blank
  11. You can leave the optional company name blank
  12. Enter the pass phrase that you entered at the start of the process.

XAMPP has now copied the relevant files into folders in the \xampp\apache\conf\ folder. You will need to access the files stored in these folders when you submit your certification signing request to the Certification Authority.

Submitting the Certificate Signing Request

Each Certification Authority has different requirements for their signing. However, all of them will need access to the contents of the file that contains the Certificate Signing Request. This file is located in the folder \xampp\apache\conf\ssl.csr.

You might be required to upload the CSR file OR to paste its contents into part of your application process. If you need to do the latter, open the server.csr file in WordPad (Notepad does not display this file correctly).

Installing the Certificate

The CA will then provide you with a signed certificate. Copy the certificate text, including the start and end markers (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----), into a Notepad window. Save this file over the existing file in the folder \xampp\apache\conf\ssl.crt\.

Installing the Certificate Chain

You will also likely be provided with an intermediate CA Certificate Chain. This should also be saved in the same folder \xampp\apache\conf\ssl.crt\. Call it server-ca.crt.

Apache will need to be told about the intermediate CA certificate. To do this open the configuration file httpd-ssl.conf which appears in the \xampp\apache\conf\extra\ folder.

  1. Search the file for the text SSLCertificateChainFile
  2. Modify that line of code so that it does not begin with a ‘#’ and that the filename contained in the “quotes” points to the new file you have created above. If you called the file server-ca.crt as suggested, then you should only find yourself removing the ‘#’.

You are now ready to continue below with the General Instructions for Apache.

Using a Domain Certification Authority

Instructions to generate the certificate in Windows is not provided.

However, the certificate must be converted to one that Apache can understand. To this end, export the certificate to PFX format. Instructions can be found on Open Source Tutor or with the following Google search.

If you use the Open Source Tutor link above, the two resulting files, apache.key and apache.cert.pem, need to be placed in the \xampp\apache\conf\ssl.key\server.key file and the \xampp\apache\conf\ssl.crt\server.crt file respectively.

General Instructions for Apache

XAMPP is configured, by default, to provide secure access to the same folder as it provides insecure access. This in itself is a common practice with sites around the web. However, we can configure Apache to force visitors to the secure site. This guide assumes you do not have any virtual hosts configured. If you do, you will have to find the relevant parts in the conf\extra\httpd-vhosts.conf file also.

Create separate secure and insecure locations

In the Apache web root folder (normally \xampp\htdocs) create two subfolders secure and insecure. Move all contents of the web root into the secure subfolder.

In the insecure subfolder create a file called index.php with the following contents:

<?php
header ("Location: https://adam.midvale.co.za/");

Remember to substitute your domain for midvale. When accessed, this file will force a re-direction to the https site.

Change Apache configuration

  1. Open the httpd.conf file within the \xampp\apache\conf folder.
  2. Find the line that reads DocumentRoot "C:/xampp/htdocs" and change it to read DocumentRoot "C:/xampp/htdocs/insecure".
  3. Open the httpd-ssl.conf file that appears in the \xampp\apache\conf\extra folder.
  4. Find the line that reads DocumentRoot "C:/xampp/htdocs" and change it to read DocumentRoot "C:/xampp/htdocs/secure".
  5. Restart Apache.

Apache will now direct any requests to port 80 to the insecure folder and any requests to 443 to the secure folder. Additionally, if you have added the index.php file to the insecure folder, then any requests to the insecure folder will be automatically referred to the secure folder.