How to Install an SSL Certificate on XAMPP

Last updated on June 10th, 2026 by Denis Graur

In this tutorial, you’ll learn how to install an SSL certificate on XAMPP, the popular local Apache, MariaDB, and PHP development stack.

We also recorded a video that walks you through the entire process of installing an SSL certificate on XAMPP. If you prefer the text version, keep reading below.

Generate a CSR code for XAMPP

If you’ve already generated the CSR code and received your SSL certificate in a ZIP folder, jump straight to the installation steps.

The Certificate Signing Request (CSR) is a small, encoded text file containing information about your domain and organization. All commercial Certificate Authorities require SSL applicants to submit a CSR code as part of the validation process.

Because XAMPP runs locally on your device, you have a couple of options for creating your CSR. Pick one method and follow the instructions in the link:

Use SSL Dragon’s CSR Generator tool to create the CSR automatically.
Follow our step-by-step tutorial on how to create a CSR with the OpenSSL utility for Apache (XAMPP ships with OpenSSL, so you can run it from the C:\xampp\apache\bin folder).

After you generate the CSR code and the private key file, continue with the installation instructions.

Install an SSL certificate on XAMPP

Once the CA validates your order and delivers the files to your inbox, download the ZIP archive and extract its contents on your device. You’ll need:

Your primary SSL certificate file (for example, yourdomain_com.crt).
The CA bundle (SSL chain) file containing the root and intermediate certificates.
The private key file you generated along with the CSR (for example, yourdomain_com.key).

Note: If your bundle arrives as several separate files, merge them into a single plain-text file with a .crt (or .ca-bundle) extension. Add your intermediate certificate(s) first, followed by the root certificate.

Step 1: Create a folder for your SSL files

Create a folder inside your XAMPP installation to store the certificate files. A common choice is C:\xampp\apache\ssl (on Windows) or /opt/lampp/apache/ssl (on Linux/macOS). Copy your certificate, CA bundle, and private key into this folder.

On Apache 2.4.8 and later (which is what every current XAMPP release ships), the cleanest approach is to combine your certificate and CA bundle into one full-chain file. From a terminal in your SSL folder, run:

copy yourdomain_com.crt + yourdomain_com.ca-bundle yourdomain_com_fullchain.crt

That command is for the Windows Command Prompt. On Linux or macOS, use:

cat yourdomain_com.crt yourdomain_com.ca-bundle > yourdomain_com_fullchain.crt

The order matters: your server certificate must come first, followed by the intermediate and root certificates.

Step 2: Find Apache’s SSL configuration file

XAMPP keeps the HTTPS settings in a dedicated file called httpd-ssl.conf. Open it in one of two ways:

In the XAMPP Control Panel, click Config on the Apache row and select Apache (httpd-ssl.conf).
Or open it directly with a text editor. It lives in your XAMPP installation folder at C:\xampp\apache\conf\extra\httpd-ssl.conf (Windows) or /opt/lampp/etc/extra/httpd-ssl.conf (Linux). If you installed XAMPP on a different drive, adjust the drive letter accordingly, e.g. D:\xampp\apache\conf\extra\httpd-ssl.conf.

Tip: Make sure SSL is actually enabled. Open C:\xampp\apache\conf\extra\httpd-xampp.conf (or the main httpd.conf) and confirm the line that includes the SSL module and the SSL config is not commented out:

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Listen 443

Step 3: Edit the VirtualHost for port 443

Inside httpd-ssl.conf, find the <VirtualHost _default_:443> block (or add a new one for your domain) and point the SSL directives at your files. A complete, modern block looks like this; replace the server name, alias, and paths with your own, and always use forward slashes:

<VirtualHost *:443>
    DocumentRoot "C:/xampp/htdocs"
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com

    SSLEngine on

    # Apache 2.4.8+ (XAMPP): certificate + CA bundle in one full-chain file
    SSLCertificateFile    "C:/xampp/apache/ssl/yourdomain_com_fullchain.crt"
    SSLCertificateKeyFile "C:/xampp/apache/ssl/yourdomain_com.key"

    # Recommended TLS hardening (2026)
    SSLProtocol         -all +TLSv1.2 +TLSv1.3
    SSLHonorCipherOrder off

    <Directory "C:/xampp/htdocs">
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

SSLCertificateFile: your full-chain file (server certificate followed by the intermediates). On Apache 2.4.8+ this single directive serves the whole chain, which is why you don’t need the older SSLCertificateChainFile.
SSLCertificateKeyFile: the private key you created with the CSR.

Important: Don’t use SSLCACertificateFile to send your chain. That directive tells Apache which CAs to trust when verifying client certificates, not which intermediates to present to browsers. To deliver the chain, use a combined SSLCertificateFile as shown above. (On legacy Apache older than 2.4.8 you would instead keep the files separate and add SSLCertificateChainFile pointing at the CA bundle, but XAMPP doesn’t ship versions that old.)

Save the file when you’re done.

Step 4: Test the configuration (recommended)

Before restarting, check the config for syntax errors so a typo doesn’t stop Apache from starting. Open a terminal in C:\xampp\apache\bin and run:

httpd -t

You should see Syntax OK. If you get an error, revisit Step 3 before continuing.

Step 5: Restart Apache

In the XAMPP Control Panel, on the Apache row click Stop, wait for it to stop, then click Start. Apache will reload with your new SSL settings.

Congratulations, you’ve successfully installed an SSL certificate on XAMPP. Visit your site over https:// to confirm the padlock appears.

Test your SSL installation

After installing the certificate, it’s worth testing the installation for potential errors. If your XAMPP site is reachable on a public domain, our SSL Checker give you instant scans and reports on your certificate, chain, and configuration.

For a purely local setup (such as localhost or a private hostname that public scanners can’t reach), open the site in your browser, click the padlock in the address bar, and inspect the certificate details to confirm the correct certificate and full chain are being served.

Where to Buy the Best SSL Certificate for XAMPP?

You don’t need to leave this website. Here at SSL Dragon, we offer one of the widest ranges of SSL products at some of the lowest prices on the market. All our certificates are compatible with XAMPP and suited for projects of any size and budget. If you’re developing locally now but plan to go live on a public domain, a publicly trusted certificate from a commercial CA is the way to go.

Get an SSL certificate now

Frequently asked questions

Can I install an SSL certificate on XAMPP?

Yes. XAMPP runs Apache with mod_ssl, so you can either generate a self-signed certificate for local testing or install a third-party (publicly trusted) SSL certificate, exactly as you would on any Apache server. Edit httpd-ssl.conf, point the SSL directives at your files, and restart Apache.

How do I get a localhost SSL certificate?

For local development you can generate a self-signed certificate with the OpenSSL binary bundled in XAMPP (in C:\xampp\apache\bin) and trust it in your browser. If you need a publicly trusted certificate for a real domain, generate a CSR, submit it to a Certificate Authority, and install the issued certificate using the steps above. SSL Dragon offers certificates compatible with this workflow.

How do I know if an SSL certificate is installed on XAMPP?

If the certificate is installed correctly, your site loads over https:// (the “S” stands for secure) and the browser shows a padlock. Click the padlock and inspect the certificate’s details to confirm the issuer, validity dates, and that the full chain is present. You can also run httpd -t from C:\xampp\apache\bin to confirm Apache accepted your SSL configuration.

Where are SSL certificates stored in XAMPP?

There is no single mandatory location; you choose where to keep them and point httpd-ssl.conf at that path. A common convention is a dedicated folder such as C:\xampp\apache\ssl. XAMPP’s own default sample certificate lives in C:\xampp\apache\conf\ssl.crt with the key in C:\xampp\apache\conf\ssl.key.

Why use SSLCertificateFile instead of SSLCertificateChainFile on XAMPP?

XAMPP ships Apache 2.4.8 or newer, where SSLCertificateFile can load your certificate and its intermediate chain from a single combined file. That makes the old SSLCertificateChainFile directive obsolete. Don’t confuse either with SSLCACertificateFile, which is only for verifying client certificates, not for sending your server’s chain to browsers.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now

Written by Denis Graur

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.