Setup XAMPP Windows as SSL/TLS server

Recently I again needed to check a browser’s SSL capabilities. So, how to setup a test server using it’s own CA? Some time ago I needed to do that previously and found several tutorials, but NONE of them work as written. Now, the same problem again: Find a working tutorial.

This time I sued the one at blog.sortedset.com although the missing images made me nervous. But all over all, the tutorial works with minor changes:

So, I first created a new VirtualBox Windows 6, x64 english test PC (IP address=192.168.0.101). Then downloaded xampp-win32.1.8.1-VC9-installer.exe and installed XAMPP. Next step was to download and install OpenSSL. I used Win32OpenSSL-1_0_1f.exe. Again got a warning about missing VS2008 VC9 runtimes and downloaded and installed that too. Then I followed the tutorial:

XAMPP installed to c:\xampp (default)

OpenSSL installed to c:\OpenSSL-Win32 (default)

Added the environment vars  and opened a CMD box and entered the following commands one by one:

cd \xampp\apache\conf

The following was set accordingly in Computer setup, but you may use these command in a CMD box before you run all the openssl commands:

SET OPENSSL_HOME = C:\OpenSSL-Win32
SET OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
SET PATH=%PATH%;C:\OpenSSL-Win32\bin

REM Create a CA and a server cert and sign it:

openssl genrsa -out ca_server.key 1024
openssl req -new -newkey rsa:1024 -nodes -out ca_server.csr -keyout ca_server.key -subj "/C=US/ST=NY/L=New York/O=CA Server Certificate/OU=IT/CN=www.CAServer.org"
openssl x509 -req -days 365 -in ca_server.csr -signkey ca_server.key -out ca_server.crt
openssl req -new -newkey rsa:1024 -nodes -out server.csr -keyout server.key -subj "/C=US/ST=Texas/L=Austin/O=Server /OU=IT/CN=192.168.0.101
openssl x509 -req -days 365 -CA ca_server.crt -CAkey ca_server.key -CAcreateserial -in server.csr -out server.crt

REM create another CA and a client key and sign it:
openssl genrsa -out ca_client.key 1024
openssl req -new -newkey rsa:1024 -nodes -out ca_client.csr -keyout ca_client.key -subj "/C=US/ST=TX/L=Austin/O=CA for Client Cert/OU=IT/CN=www.CAforClient.org"
openssl x509 -req -days 365 -in ca_client.csr -signkey ca_client.key -out ca_client.crt
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=Texas/L=Austin/O=Client Iqbal/OU=IT/CN=ClientIqbal"
openssl x509 -req -days 365 -CA ca_client.crt -CAkey ca_client.key -CAcreateserial -in client.csr -out client_signedby_ca_client.crt
openssl pkcs12 -export -clcerts -in client_signedby_ca_client.crt -inkey client.key -out client_signedby_ca_client.p12

The last line asks for a password you will need later to import the certificate.

Now the file apache/conf/extra/httpd-ssl.conf has to be changed:

# httpd-ssl.conf
<IfModule ssl_module>
 Listen 443

 <IfModule mime_module>
 AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl .crl
 </IfModule>

 SSLPassPhraseDialog builtin

 <VirtualHost _default_:443>
 DocumentRoot "C:/xampp/htdocs"
 ServerName localhost:443
 ServerAdmin webmaster@localhost
 ErrorLog "logs/error.log"
 <IfModule log_config_module>
 CustomLog "logs/access.log" combined
 </IfModule>

 SSLEngine on

 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 SSLCertificateFile "conf/server.crt"
 SSLCertificateKeyFile "conf/server.key"
 SSLCACertificateFile "C:\xampp\apache\conf\ca_client.crt" 

 <FilesMatch "\.(cgi|shtml|pl|asp|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "C:/xampp/cgi-bin">
 SSLOptions +StdEnvVars
 </Directory>

 <Directory "C:/xampp/htdocs/protected_by_client_cert">
 Options Indexes
 Order allow,deny
 Allow from all

 SSLRequireSSL
 SSLVerifyClient require
 SSLVerifyDepth 1
 </Directory>

 BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

 CustomLog "logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 </VirtualHost> 
</IfModule>

(I removed all comment lines)

Now I installed FireFox 35.01 and installed the CA Root cert by opening the menu Options-Advanced. Then click [View Certificates] and import the CA and the Client certificate:

Clipboard01  Clipboard02

Clipboard03  Clipboard04

Clipboard06  Clipboard07

Clipboard08  Clipboard09

Now create a directory C:/xampp/htdocs/protected_by_client_cert and place a small html file there:

<html>
<body>
<h2>Protected Area</h2>
</body>
</html>

 

 

 

And finally we can start XAMPP and test in firefox: left is https://192.168.0.101 and right is https://192.168.0.101/protected_by_client_cert

Clipboard10  Clipboard11

And wow, you have your own CA for the https and a working client certificate.

Leave a Reply