localhost self-signed certificate across LAN in XAMPP

Question

I have localhost with ssl and working fine on my local pc but ssl doesn't work across LAN. Because I'm using self-signed certificate I have to install certificate in every PC in which I'll open site but it's only working on PC in which website is hosted but not on other PC on LAN.

I don't want to host my website online because I'm in development mode.

My Local PC:

host file:

127.0.0.1 gofashion_chat.test

httpd-xampp.conf

<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/gofashion"
    ServerName gofashion_chat.test
    ServerAlias *.gofashion_chat.test
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "C:/xampp/htdocs/gofashion"
    ServerName gofashion_chat.test
    ServerAlias *.gofashion_chat.test
    SSLEngine on
    SSLCertificateFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.crt"
    SSLCertificateKeyFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.key"
</VirtualHost>

Certificate in browser:

PC on LAN:

host file:

192.168.10.7 gofashion_chat.test

Certificate in browser on LAN PC:

In have installed server.crt on both PC

How do I solve ssl issue across LAN?

Edit:

This is my bat file which I used to generate certificate

@echo off

set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "

SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster@%FULL_DOMAIN%

SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf

if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%

(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo req_extensions      = v3_req
echo x509_extensions     = x509_ext
echo distinguished_name  = dn
echo:
echo [dn]
echo C = %COUNTRY%
echo ST = %STATE%
echo L = %CITY%
echo O = %ORGANIZATION%
echo OU = %ORGANIZATION_UNIT%
echo emailAddress = %EMAIL%
echo CN = %FULL_DOMAIN%
echo:
echo [v3_req]
echo subjectAltName         = @alt_names
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints       = critical, CA:TRUE, pathlen:1
echo keyUsage               = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [x509_ext]
echo subjectAltName         = @alt_names
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints       = critical, CA:TRUE, pathlen:1
echo keyUsage               = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [alt_names]
echo DNS.1 = *.%FULL_DOMAIN%
echo DNS.2 = %FULL_DOMAIN%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf

C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf

echo.
echo -----
echo The certificate was provided.
echo.
pause

This is another I used to generate certificate.

@echo off

set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "

SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster@%FULL_DOMAIN%

SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf

if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%

(
echo [ req ]
echo default_bits        = 2048
echo default_keyfile     = server-key.pem
echo distinguished_name  = subject
echo req_extensions      = req_ext
echo x509_extensions     = x509_ext
echo string_mask         = utf8only
echo:
echo [ subject ]
echo countryName                 = Country Name ^(2 letter code^)
echo countryName_default         = %COUNTRY%
echo stateOrProvinceName         = State or Province Name ^(full name^)
echo stateOrProvinceName_default = %STATE%
echo localityName                = Locality Name ^(eg, city^)
echo localityName_default        = %CITY%
echo organizationName            = Organization Name ^(eg, company^)
echo organizationName_default    = %ORGANIZATION%
echo commonName                  = Common Name ^(e.g. server FQDN or YOUR name^)
echo commonName_default          = %HOSTNAME%.%DOT%
echo emailAddress                = Email Address
echo emailAddress_default        = %EMAIL%
echo:
echo [ x509_ext ]
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid,issuer
echo basicConstraints       = CA:FALSE
echo keyUsage               = digitalSignature, keyEncipherment
echo subjectAltName         = @alternate_names
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [ req_ext ]
echo subjectKeyIdentifier = hash
echo basicConstraints     = CA:FALSE
echo keyUsage             = digitalSignature, keyEncipherment
echo subjectAltName       = @alternate_names
echo nsComment            = "OpenSSL Generated Certificate"
echo:
echo [ alternate_names ]
echo:
echo DNS.1 = *.%HOSTNAME%.%DOT%
echo DNS.2 = %HOSTNAME%.%DOT%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf

C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf

echo.
echo -----
echo The certificate was provided.
echo.
pause

score 0 · Answer 1 · answered Jan 08 '20 at 05:42

This might be late but it is worth a try ^_^

Instead of specifying your localhost with gofashion_chat.test, just use computername.domain. This will save you time editing the hosts of each computer you want to access your website.

Create a folder inside apache. Folder name: crt

Create a file with the name of cert-template.conf and save it in crt folder. Below is the command for cert-template.conf.

[ req ]

default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]

countryName                 = Country Name (2 letter code)
countryName_default         = TE

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = TEST

localityName                = Locality Name (eg, city)
localityName_default        = TEST

organizationName            = Organization Name (eg, company)
organizationName_default    = TEST

commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = computername.domain

emailAddress                = Email Address
emailAddress_default        = test@example.com

[ x509_ext ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "OpenSSL Generated Certificate"

[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1       = computername.domain

Create this file also: make-cert.bat and save it in crt folder. Below is the command of make-cert.bat.

@echo off
set /p domain="Domain Name: "
set OPENSSL_CONF=../conf/openssl.cnf

REM
REM Read the "cert-template.conf" file and replace all {{DOMAIN}} placeholders by the entered domain.
REM Write the result into a new file called "cert.conf".
REM
REM @see https://stackoverflow.com/questions/5273937/how-to-replace-substrings-in-windows-batch-file#20227248
REM
setlocal enabledelayedexpansion
set INTEXTFILE=cert-template.conf
set OUTTEXTFILE=cert.conf
set SEARCHTEXT={{DOMAIN}}
set REPLACETEXT=%domain%

if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%
for /f "tokens=1,* delims=¶" %%A in ( '"findstr /n ^^ %INTEXTFILE%"') do (
   SET string=%%A
   for /f "delims=: tokens=1,*" %%a in ("!string!") do set "string=%%b"
   if  "!string!" == "" (
       echo.>>%OUTTEXTFILE%
   ) else (
      SET modified=!string:%SEARCHTEXT%=%REPLACETEXT%!
      echo !modified! >> %OUTTEXTFILE%
  )
)


REM
REM Create the target directory.
REM
if not exist .\%domain% mkdir .\%domain%


REM
REM Create the certificate and key files.
REM
..\bin\openssl req -config %OUTTEXTFILE% -new -sha256 -newkey rsa:2048 -nodes -keyout %domain%\server.key -x509 -days 365 -out %domain%\server.crt


REM
REM Delete the written file "cert.conf" as this file would only be used to create the certificate.
REM
if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%


echo.
echo -----
echo The certificate was provided.
echo.
pause

Run make-cert.bat, a command prompt will show and ask you for a domain name. Your domain name is your computername.domain. After that, there are question you need to answer and the most important question is the Common Name. Common Name = Computername.domain.

Install the certificate you created located at crt/computername.domain/server.crt. Install Certificate>Local Machine> Place all certificates in the following store> Browse> Trusted Root Certification Authorities> Next > Finish.

Insert this script in the bottom of httpd-xampp.conf

 <VirtualHost computername.domain:8080>
     DocumentRoot "C:/xampp/htdocs"
 </VirtualHost>

 <VirtualHost computername.domain:4433>
     DocumentRoot "C:/xampp/htdocs"
     SSLEngine on
     SSLCertificateFile "crt/computername.domain/server.crt"
     SSLCertificateKeyFile "crt/computername.domain/server.key"
 </VirtualHost>

Restart XAMPP and try to access your localhost using https://computername.domain:4433.

That's all. I hope you get all of the steps.

score -1 · Answer 2 · answered Apr 06 '19 at 13:15

-1

Your screenshot shows that the used certificate is allowed for the purposes

All issuance policies
All application policies

But you want to use it an web server certificate, therefore the certificate requires the following purpose:

Ensures the identity of a remote computer

I assume on your computer it works as the web browser recognizes that the server is running on a local network interface - hence it is not a "remote computer" and therefore it works without this purpose allowed in the certificate.

answered Apr 06 '19 at 13:15

Robert

39,162
17
99
152

I don't know anything about those details. I'm first time. Can you provide a solution? What should I do to get rid of this error from PC on LAN? – Faizan Anwer Ali Rupani Apr 06 '19 at 18:56
@Faizan Once a certificate has been signed it's data can't be changed. Therefore you have to generate and sign a new certificate - see e.g. here https://stackoverflow.com/a/10176685/150978 – Robert Apr 07 '19 at 12:21
but how did you self sign certificate with "Ensures the identity of a remote computer"? __openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365__ won't add "Ensures the identity of a remote computer" in certificate – Faizan Anwer Ali Rupani Apr 08 '19 at 09:46
@Faizan Looks like you have to configure the `keyUsage` via config file: https://superuser.com/questions/738612/openssl-ca-keyusage-extension – Robert Apr 08 '19 at 11:35
I have add my bat file code in question above. Check it out. I have used configuration described by you and still can't get certificate to access ssl from lan or remote computer – Faizan Anwer Ali Rupani Apr 08 '19 at 12:04

localhost self-signed certificate across LAN in XAMPP

My Local PC:

host file:

httpd-xampp.conf

Certificate in browser:

PC on LAN:

host file:

Certificate in browser on LAN PC:

Edit:

2 Answers2