How to add SSL / HTTPS to WampServer

With the importance of HTTPS for security and SEO (according to Google), you need a development environment that lets you run your site locally on https. Unfortunately, right out of the box, WampServer only includes a parts of what you need to get your local web server running over https://localhost.

In this article, we will go over the exact steps you can follow to get HTTPS / SSL working on your Wamp Server. These instructions assume that you are installing the 64-bit version of WampServer for Windows to your c: drive. If not, just replace c: with d:. You may also need to change the version number in some of the paths depending on when you downloaded Wamp Server.

How to use WAMP + SSL to open localhost over https:

  1. Download & install WampServer.
  2. Open a command prompt (WindowsKey + R > cmd > click OK) and enter the following commands.
    cd c:\wamp64\bin\apache\apache2.4.27\bin
    openssl genrsa -aes256 -out private.key 2048
    openssl rsa -in private.key -out private.key
    openssl req -new -x509 -nodes -sha1 -key private.key -out certificate.crt -days 36500 -config c:\wamp64\bin\apache\apache2.4.27\conf\openssl.cnf
    Note: You can pretty much answer the questions any way you want though real answers are best. The one question that really matters here is the FQDN. It should be: localhost.
  3. Move the private.key and certificate.crt files from c:\wamp64\bin\apache\apache2.4.27\bin to the c:\wamp64\bin\apache\apache2.4.27\conf\key\ folder. If the key folder doesn't already exist, create it.
  4. Using a text editor like Notepad, open c:\wamp64\bin\apache\apache2.4.27\conf\httpd.conf and un-comment following 3 lines:
    LoadModule ssl_module modules/mod_ssl.so
    Include conf/extra/httpd-ssl.conf
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
  5. Using a text editor like Notepad, open c:\wamp64\bin\apache\apache2.4.27\conf\extra\httpd-ssl.conf and apply the following changes:
    Below the line: <VirtualHost _default_:443>, check the following parameters to ensure they are configured correctly and not commented.
    -------------------------------------
    DocumentRoot "c:/wamp64/www"
    ServerName localhost:443
    ServerAdmin admin@example.com
    SSLSessionCache "shmcb:c:/wamp64/bin/apache/apache2.4.27/logs/ssl_scache(512000)"

    ErrorLog "c:/wamp64/bin/apache/apache2.4.27/logs/error.log"
    TransferLog "c:/wamp64/bin/apache/apache2.4.27/logs/access.log"
    SSLCertificateFile "c:/wamp64/bin/apache/apache2.4.27/conf/key/certificate.crt"
    SSLCertificateKeyFile "c:/wamp64/bin/apache/apache2.4.27/conf/key/private.key"
    -------------------------------------
  6. Save the file and close it.
  7. You are done. To check the validity of file, at the command prompt, enter:
    c:\wamp64\bin\apache\apache2.4.27\bin\httpd -t
    and then use your web browse to go to https://localhost/

From this point on, you should be able to start, stop and restart Wamp Server and SSL-HTTPS will continue to work.

Enjoy!

Michael Milette


Comments

How to add SSL / HTTPS to WampServer — 36 Comments

  1. Excellent and very Clear. Thank you
    Howeverchecking the validity of the file, I get:

    AH00526: Syntax error on line 127 of C:/wamp64/bin/apache/apache2.4.27/conf/extra/httpd-ssl.conf:
    SSLSessionCache cannot occur within section

  2. Hi, thanks for this, I found it very helpful.

    However there is a step which you missed, you need to copy the private.key file and the certificate.crt files from the folder where they are created (c:\wamp64\bin\apache\apache2.4.27\bin) to the folder c:\wamp64\bin\apache\apache2.4.27\conf

    Once I figured that out, it all worked

  3. Thanks for this post. I know it is not in its finished form but I have used it to (nearly?) implement SSL on my Wampserver. This is my experience, in case it is of use.

    Because openssl did not seem to work on my old version, I have upgraded my Wampserver to v 3.1.1 64 bit. It took a while but it works fine now, and I am now on Apache 2.4.27. I was then able to follow your instructions to the letter.

    On checking the validity using httpd -t I found the following errors and corrected them:
    – SSLSessionCache line caused error “cannot occur within virtualhost section” – I moved it to replace existing SSLSessionCache line outside the virtualhost section
    – SSLCertificateFile and SSLCertificateKeyFile were pointing to the wrong folders, as the files are in bin not conf (they also needed their old values commenting out, which I had missed)
    – I also had to comment out CustomLog, as it pointed to an invalid folder

    I then had an Apache error: 1066, and the error log said SSLPassPhraseDialog builtin is not supported on Win32. The solution I used (from https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO11242) was to remove the encryption and comment out SSLPassPhraseDialog. (Maybe I should originally have used a blank Passphrase?)

    The situation now is that localhost works fine with my WordPress site, but https://localhost gives me a meesage that the certificate is not trusted. I switched to a simple one page index.html file for testing, so there are no complications from my site itself.

    In Firefox I managed to get the certicate trusted by clicking on the option it presented. Using Chrome settings I was able to install the certificate in the Trusted Root Certification Authorities Store. This meant that Edge treats it as trusted, but Chrome still does not (I am currently on version 65). Opera allows me in but marks it as not trusted.

    I then switched back to my WordPress index.php and in Chrome got the error “This server could not prove that it is localhost; its security certificate does not specify Subject Alternative Names.” It seems the issue is recognised – eg at https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate/43666288 and I used the solution there (editing the certificate). But it still did not help.

    I needed to use openssl to include Subject Alternative Names, using https://www.endpoint.com/blog/2014/10/30/openssl-csr-with-alternative-names-one as a basis, I added the following to the end of openssl.cnf and regenerated the certificate.

    [ req_ext ]
    subjectAltName = @alt_names
    [ alt_names ]
    DNS.1 = localhost
    DNS.2 = http://www.localhost

    I don’t know if I did it right, but the situation is no better, in that the browsers mark the site as insecure, but as my Wamp is a development system I think it is just about good enough for me to start preparing the main site for SSL, but I would still like to get https working properly.

    Thanks again.

  4. To solve the SubjectAltNames issue on my wamp, I used https://community.nethserver.org/t/subjectaltname-for-certificates/6786/4 to edit C:\wamp64\bin\apache\apache2.4.27\conf\openssl.cnf

    Under [ Req ] section
    uncommented: req_extensions = v3_req

    Under [ v3_req ] section
    Added: extendedKeyUsage = serverAuth
    Added: subjectAltName = @alt_names

    Under [ v3_ca ] section
    Added: subjectAltName = @alt_names

    Added new section [ alt_names ] at the bottom of the file
    [ alt_names ]
    DNS.1 = localhost
    DNS.2 = http://www.localhost

    Then reloaded the new certificate into the Trusted Root Certification Authorities Store (using Chrome Settings/Advanced/Manage certificates. The Chrome Developer tools Security tab helped confirm any issues.

    With my simple single html page https is now OK. When I switched back to my WordPress site, I had one issue but it is now working OK in https. I am now looking forward to using Really Simple SSL, and clearing all the mixed content.

    A hint for WordPress Users: If you are logged in and reload using https you get “This has been disabled”, as you need to log in again. What I did was log out using my old http, then reload using https, which then enabled me to log in.

    You will realise that I do not really know what I am doing, and just use bits of help where I can find it on the web. Thanks for your help.

      • I figured out my problem. The certificate.crt file has to be in the same location as the private.key.

        I think command four should read: SSLCertificateFile “c:/wamp64/bin/apache/apache2.4.27/bin/certificate.crt”
        SSLCertificateKeyFile “c:/wamp64/bin/apache/apache2.4.27/bin/private.key”

        instead of in the conf folder.

        Thanks for the awesome tutorial!

    • Hi Ioannis,

      Thank you for the suggestion. You were right of course. The physical location of the files and the recommended configuration settings did not line up.

      I’ve updated the article to correct the paths. I now recommend that you put the files in a folder called ..\conf\key\ just to keep things tidy and also modified the configuration instructions to reflect this change. With that said, you can certainly leave it as you configured it and it will continue to work correctly. Thank you for taking the time to share your solution.

      With gratitude,

      Michael

  5. I would recommend you to use Let’s Encrypt for applying SSL on PHP websites. Let’s encrypt is available for free and it will remain free. It is easy to install and configure with your website.

    • Thanks for your comment Oliver. Let’s Encrypt/Certbot is indeed a great tool that I often recommend. However it doesn’t work with https://localhost as far as I know – which is what the article is about.

    • Hi Valentin, thank you for your comment. I thought it would have been obvious that the file would be in the directory where you created it however I have taken your feedback into consideration and updated step 3. Best regards, Michael 🙂

  6. I made all my website ready for ssl. Now, when i included all the websites in the httpd-ssl.conf file the websites all do point to my first website.
    What is the problem ?

    • The problem will likely be how you configured the httpd-ssl.conf file. Refer to Apache documentation for more information.

    • In Chrome, try going to chrome://flags/#allow-insecure-localhost and see if enabling this option helps. You may need to restart your web browser. Other browsers will have different instructions.

    • There is a way to tell the browser to let you through without the message however it has to be done in your web browser’s settings. Instructions are browser specific.

      TIP: Avoid using the .dev top level domain (like locahost.dev).

  7. Hello Michael,

    I followed your instructions with adjusted paths, but I get an error when checking validity of file (last point):

    AH00526: Syntax error on line 87 of C:/wampserver/bin/apache/apache2.4.9/conf/ex
    tra/httpd-ssl.conf:
    SSLSessionCache takes one argument, SSL Session Cache storage (‘none’, ‘nonenotn
    ull’, ‘dbm:/path/to/file’)

    Line 87 is:
    SSLSessionCache “shmcb:c:/wampserver/bin/apache/apache2.4.9/logs/ssl_scache(512000)”

    What did I do wrong? There is no file “ssl_scache(512000)” in that directory.

    Thank you,
    Stefan

  8. I am trying to follow the instructions as above but get the message below after my first open ssl cmd ( i am new to all of this – please help

    “C:\wamp64\bin\apache\apache2.4.23\bin>openssl genrsa -aes256 -out private.key 20
    48
    WARNING: can’t open config file: c:/usr/local/ssl/openssl.cnf
    Generating RSA private key, 2048 bit long modulus
    ………………………….+++
    ….+++
    unable to write ‘random state’
    e is 65537 (0x10001)
    Enter pass phrase for private.key:”

  9. Since Wampserver 3.1.0 which includes Apache 2.4.27 (And for all subsequent Apache addons), an Apache “variable” is used to define the installation path.
    You can therefore replace, in all Apache conf files, your installation path with this Apache variable.
    So,
    DocumentRoot “c:/wamp64/www”
    can be replaced by
    DocumentRoot “${INSTALL_DIR}/www”

    The same applies to all other lines in Apache conf files that contain the Wampserver installation path.

    This is the first time I have seen such a detailed and simple SSL/https implementation procedure for Wampserver.
    Moreover, as this procedure seems to be followed and updated, I’d like to put its link in the Wampserver tools in a next update.

  10. Fantastic, thank you very much! I just had some issues to see that the commandlines are multiple rows. This is the first tutorial which worked for me.

    Also had to add -rand to the privat.key:

    $ cd c:\wamp64\bin\apache\apache2.4.27\bin
    $ openssl genrsa -rand -aes256 -out private.key 2048
    $ openssl rsa -in private.key -out private.key
    $ openssl req -new -x509 -nodes -sha1 -key private.key -out certificate.crt -days 36500 -config c:\wamp64\bin\apache\apache2.4.27\conf\openssl.cnf

    Also nice tipp: Chrome Settings >> Advanced >> SSL Certs >> And here add the new cert to remove this annoying “This site is not save” warning.

  11. Thanks for your article!
    Because it wasn’t working with this configs…
    if somebody is in this situation, thanks to the command “httpd –t”, I could notice it:
    I hadn’t any “ssl” directory in G:/wamp/bin/apache/apache2.4.23/logs/. It has to be created (or avoid in your paths).
    C:/ or G:/ has to always be in uppercase letter (Apache will not find the path with c:/…)
    When you create the certificate, you can pretty much answer the questions any way you want (though real answers are best)… but the one question that really matters is the FQDN : it should be localhost.
    Bye!

  12. hello,
    the Wamp server stops working (2 out of 3 services working) after I include the conf/extra/httpd-ssl.conf
    however I got the result syntax ok in the end but I am not able to start my https request
    is there any solution for this error.

  13. Could you help me, please?

    I’m getting error:

    Your connection is not secure

    The owner of localhost has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    localhost uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for . Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

    • Hi Diego,

      This is normal. You can’t have a signed certificate for a local site so you have to use a self-signed certificate. Just tell your web browser to accept it and your site will run on https. You may also be able to tell your web browser to always accept this local certificate so it doesn’t bother you again. This should only be used for development.

      If you are running your website on an Intranet, there is little point in running your site on https – just use http. Alternatively, if you really have a valid reason for running your site over https on an Intranet, you will need to use your workstation management system to apply the change to all workstations.

      Hope this helps.

      Best regards,

      Michael

  14. For those of you who are getting a ‘403 forbidden, you don’t have permission’ error, it might be because you have not configured your directory access permissions correctly in ‘httpd-ssl.conf’. You need to add the following in httpd-ssl.conf:

    Options +Indexes +Includes +FollowSymLinks +MultiViews
    AllowOverride All
    #Require local
    Require all granted
    #Require all denied

    You can replace ‘${INSTALL_DIR}/www’ with whatever path you wish to grant access to. Essentially, you can also just copy the corresponding code snippet from ‘httpd-vhosts.conf’ so it behaves the same way as it did before SSL was enabled.

    I hope this helps anyone having the same problem I had.

    Good luck!

    Marvin

    • Comment edit – You need to add the following in ‘httpd-ssl.conf’:

      Options +Indexes +Includes +FollowSymLinks +MultiViews
      AllowOverride All
      #Require local
      Require all granted
      #Require all denied

      • Comment edit – You need to add the following in ‘httpd-ssl.conf’:

        (less than sign)Directory “${INSTALL_DIR}/www/quick_job/dev/”(greater than sign)
        Options +Indexes +Includes +FollowSymLinks +MultiViews
        AllowOverride All
        #Require local
        Require all granted
        #Require all denied
        (less than sign)/Directory(greater than sign)

Leave a Reply to Valentin Cancel reply

Your email address will not be published. Required fields are marked *