Solution - Windows 11/XAMPP Installation - Install SSL Certificate and Access OpenEMR Securely on ALL LAN Computers

Security
#1

(NOTE: My original post had to be modified because the system won’t let me post more than 2 “links”. I have placed a space before each dot in an ip address or virtual host so the system won’t think they’re links. There should be no space between dots in your ip addresses or the virtual host in your actual configuration)

For those who have a Windows 11, XAMPP installation of OpenEMR and are having a difficult time establishing a secure (https) connection to the OpenEMR server/computer from the other computers in your local area network (LAN), below are the steps I used to obtain secure connections with my LAN computers. This took me weeks to figure out, and I hope it can help save someone some time if they find themselves in the same situation.

For some reason, I could not get the OpenEMR SSL Certificate Generator to create an SSL Certificate, Key, etc. when I tried using it in OpenEMR (I’m not very knowledgeable about computers and am new to OpenEMR). I figured it may be due to the fact that I installed OpenEMR with XAMPP. Whatever the reason, I decided to create an SSL Certificate with the makecert.bat, which comes with XAMPP, and used it along with a virtual host. The step by step on creation and configuration are outlined below. For this post, the main server/computer where XAMPP and OpenEMR are installed will have a static IP address of 192 .168 .1 .15 and the virtual host will be “Example .local”. XAMPP will be installed in the C: drive.

  1. Assign static ip addresses to all the computers on the LAN (Personal preference. I think it just makes it easier).

  2. Place each computer (including main server) on the private network by: Entering “Settings” => clicking on “Network and Internet” => clicking on “Ethernet” or “Wifi” (depending on which way you are connecting to the server - but I strongly recommend via ethernet) => select “Private Network”.

  3. Enable network discovery on each computer by: Entering “Settings” => clicking on “Network and Internet” => clicking on “Advanced Network Settings” => clicking on “Advanced Sharing Settings” => setting “Network Discovery” to “On” (Leave auto configuring checked), and Do not turn on “File and Printer Sharing” unless you need that as well.

  4. Configure each computer to allow port 80 through the firewall for the private network by: Opening “Control Panel” (small icons) => clicking on “Windows Defender Firewall” => clicking on the upper left “Allow An App or Feature Through Windows Defender Firewall” => scroll to “Port 80 Allow” and make sure the “private” box is checked and the “public” box is unchecked.

  5. Verify you can see all the computers in your LAN on all your computers by clicking on the File Explorer in your system tray and scrolling to “Network” on the left panel. You should see all your devices listed when you click on “Network”.

  6. Create and configure your virtual host in the main OpenEMR server/computer (The virtual host can be named anything you would like to call it) by:

a. Clicking on Windows File Explorer in the system tray and going to C: => Windows => System 32 => drivers => etc => “hosts” (Right-click and select “Edit with Notepad”). Once open, go to the next available line and type in the following:

localhost Example .local

b. Go to your xampp folder and configure the virtual host to access Example .local on port 80 by: Clicking on Windows File Explorer => C: => xampp => Apache => Conf => extra => “httpd-vhosts.conf” (Right-click on the file and select “edit with Notepad”). Once open, scroll to the next available line and type the following:

<VirtualHost *:80>
ServerName Example .local
ServerAlias Example .local
DocumentRoot “C:/xampp/htdocs/openemr/”

c. The “C:” can be changed to whatever letter drive you have your xampp package installed on. Stop and Restart your Apache server. Now, verify you can reach the OpenEMR login screen by typing Example .local into the url browser window. It should take you to the log in screen.

  1. Create the SSL Certificate for your virtual host by:

a. Clicking on Windows File Explorer => C: => xampp => Apache => “makecert.bat” (Right-click the file and select “edit with Notepad”). Scroll to the line where “. . . -days 365” is written. Keep or modify the number of days you would like the certificate to be valid. Place the cursor one space after the number of days and write the following:

-extfile v3.ext

b. Save the file and close.

c. In the Apache folder, create the v3.ext file. If your system prevents you from writing and saving in the Apache folder, write it in Notepad, save it to the desktop as a text file, click on the file name and edit the extension from .txt to .ext, and drag and drop it into the Apache folder. In the v3.ext file, type the following:

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = localhost

DNS.2 = *.Example .local

DNS.3 = Example .local

DNS.4 = 127 .0 .0 .1

DNS.5 = 127 .0 .0 .2

d. Double-click on the makecert.bat file and follow the instructions for creating the certificate. If successful, you will find the certificate at xampp => Apache => Conf => ssl.crt

  1. Install the certificate into the “Trusted Root Certification Authorities” by double clicking on the certificate in the ssl.crt folder and selecting “install” for the local computer and browsing to find the Trusted Root folder when asked where you want to store the certificate.

  2. Copy the certificate onto a thumb drive and install the certificate on the other computers in the LAN in the same manner.

  3. Now having a certificate, configure the vhosts file in XAMPP to accept secure connections from port 443 by:

Clicking on Windows File Explorer => C: => xampp => Apache => Conf => extra => “httpd-vhosts.conf” (Right-click on the file and select “edit with Notepad”). Once open, scroll to the next available line and type the following:

<VirtualHost *:443>
ServerName Example .local
ServerAlias Example .local
DocumentRoot “C:/xampp/htdocs/openemr/”
SSLEngine on
SSLCertificateFile “conf/ssl.crt/server.crt”
SSLCertificateKeyFile “conf/ssl.key/server.key”

  1. Save the vhosts file. Stop and restart Apache and verify you can access Example .local by typing in http ://example .local (for port 80) AND
    https ://example .local (for port 443)

They should both work. http should show that it is not secure, and https should show the lock, indicating it is a secure connection.

  1. Now configure port 80 (http) to automatically redirect to port 443 (https) by returning to the vhosts file and modifying the port 80 configuration as follows:

<VirtualHost *:80>
ServerName Example .local
ServerAlias Example .local
DocumentRoot “C:/xampp/htdocs/openemr/”
RewriteEngine on
RewriteCond %{SERVER_NAME} =www .example .local [OR]
RewriteCond %{SERVER_NAME} =example .local
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END, NE, R=permanent]

  1. Save the vhosts file. Stop and restart Apache. Test that the redirect works by typing http ://example .local into the browser. It should take you to the https OpenEMR login page, and there should be a lock saying the connection is secure and the certificate is valid.

  2. Now configure all the other computers on the LAN to access OpenEMR securely by navigating to and modifying the hosts file in each computer (C: => Windows => System 32 => drivers => etc => “hosts”). Find the first available line and type the following:

192 .168 .1 .15 Example .local

  1. Save it all and test it. It should work.

Yours in health,
Bryan

1 Like