This has been tested with XAMPP (PHP 8.2) on Windows 11 and Mac Sequoia.
Open php.ini by clicking Config button on the Xampp control panel
In this ini file semi colon (;) is used to comment a line. We want to use openssl library, so we have to make sure the line for openssl is not commented.
Remove semi colon (;) in front of this line, if there is any:
extension=php_openssl.dll
Search for "date.timezone". Make this your timezone. I have chosen Europe/London as a standard. Check this page for your timezone (http://php.net/manual/en/timezones.php)
date.timezone=Europe/London
(Optional) Now uncomment this to to be able to debug:
zend_extension="C:\xampp\php\ext\php_xdebug.dll"
Save.
Now, open: httpd.conf
Make sure that this is uncommented (no hashtag # in front)
LoadModule rewrite_module modules/mod_rewrite.so
Save.
Create a new file in xampp/apache/ directory called v3.ext
.
The location on Mac is /Applications/XAMPP/xamppfiles/etc/. Make a directory called ssl
to keep things organized.
Paste the following contents in it
subjectAltName = @alt_names
[alt_names]
DNS.1 =localhost
DNS.2 =127.0.0.1
We have configured https to run on 'localhost' domain and 127.0.0.1 IP address. More entries can be added here if you want to setup https on more domains, for example DNS.3 = example.com
After saving the file above, open makecert.bat
in the same directory in a code editor. Add -extfile v3.ext
to the end of line 9. It looks like this
bin\openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 -extfile v3.ext
Save and open the makecert.bat
file by double clicking on it. A cmd window will open
Open a Terminal window and navigate to the ssl
directory we created above.
Enter this command
openssl req -new -out server.csr
Now you should see this:
Generating a 1024 bit RSA private key
............................++++++
.....................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Enter in a password for decrypting your private server key, and press Enter. Note this password, you will need it later.
It will say:
Verifying - Enter PEM pass phrase:
Enter the passphrase again, press enter. Now you will see this:
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
We have entered London in our timezone so I am choosing the 2 letter code GB
(for United Kingdom). You can find yours here: http://www.worldatlas.com/aatlas/ctycodes.htm
You can skip all fields here by pressing enter except common name. They are not necessary for the certificate to work.
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
For Common Name enter localhost
. It is important that this common name match the address that goes into a browser, otherwise you will get extra warnings when navigating to your secure web pages. In our case this would be 'localhost'. Additional domains can be configured in v3.ext above.
Continue with the remaining fields. Everything is optional including challenge password:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Enter pass phrase for privkey.pem:
Now enter the password that you chose earlier. The script should succeed with a message like this:
writing RSA key
Signature ok
subject=/C=GB/ST=Some-State/O=Internet Widgits Pty Ltd/CN=localhost
Getting Private key
1 file(s) moved.
1 file(s) moved.
-----
Das Zertifikat wurde erstellt.
The certificate was provided.
Press any key to continue . . .
You are now finished creating your SSL certificate and private key. The makecert.bat script will move your server private key and certificates in the appropriate directories for you.
Generate a private and server key by entering following 3 commands one by one in a terminal
openssl genrsa -out privkey.pem 2048
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 -extfile v3.ext
Now you have all the files needed in ssl
directory. Open xamppfiles/etc/extra/
. Edit file https-ssl.conf
Edit SSLCertificateFile
. This should point to ssl/server.crt
Edit SSLCertificateKeyFile
. This should point to ssl/server.key
Save and close the file.
Now go to start menu and search for Manage Computer Certificates and open it.
Double click "Trusted Root Certification Authorities". Right click "Certificates", choose All Tasks -> Import...
Click Next.
It will ask to choose the certificate file. Click Browse and choose C:\xampp\apache\conf\ssl.crt\server.crt
Click Next. Next again, then Finish.
This will bring you a message. Click Yes. Then it should say Import was successful. Click OK.
Open Keychain Access by searching for it in Spotlight. In the sidebar, make sure login is selected, not System. Drag the server.crt
file in the main window to import the certificate.
Open the certificate by double clicking on it (localhost). Expand Trust, edit the option When using this certificate to Always Trust. Then close the window.
Open httpd-ssl.conf
from control panel. Find the line # General setup for the virtual host
. Under it, make sure the DocumentRoot
is correct. If you changed your DocumentRoot
before for http, you will need to update this here. In the next line change www.example.com
to localhost
. Here's how it looks for me
DocumentRoot "D:/Projects"
ServerName localhost:443
I just stopped the Apache and MySQL service from XAMPP Control Panel, and when they stopped, I started them again.
This should now enable https on localhost.
Now access https://localhost in your browser.
We chose to create a certificate for 10 years (-days 3650
) in makecert.bat however you can choose the expiration date as you wish. When the certificate expires, the browser will give you warnings about localhost not secure. It is time to renew the certificate.
Go to Manage Computer Certificates and delete any certificates you previously created. The Issued by and/or Issued for column should say 'localhost'.
Repeat steps 2 through 4 to create a new certificate. You shouldn't need to edit any files this time. Just run makecert.bat and take it from there.