March 26, 2013

How to export Apache's SSL Certificate and private Key to Windows and IIS & Tomcat

The Apache SSL key and certificate have to be converted to a single p12 (PFX) file format that combines the certificate & the key. This can be done using the openssl command as follows.

The default location of the certs and private keys on RHEL and its variant distributions like CentOS is usually in the /etc/pki/tls folder and its sub folders So you'll need to copy the two files to a temporary folder to combine them using openssl or run the command openssl command while providing the full path to those two files (yourservercertificate.crt and yourserverkey.key).

Example export performed on a Linux box

Note: Make sure you execute the following command as superuser:

openssl pkcs12 -export -out /tmp/combinedfile.p12 -inkey /etc/pki/tls/private/yourserver.key -in /etc/pki/tls/certs/yourservercertificate.crt

Hit the enter key to execute the command. You will be prompted for a password to protect the resulting p12 file. It's entirely up to you to enter a password or not, but it's a good idea to go ahead and do so. You don't want someone else to get a hold of your unencrypted key and assume your server(s) identity.

This command will output the combinedfile.p12 in your /tmp folder. You need to copy this file over to the IIS server for import.

On the Windows IIS server side:

Run the following with admin privileges:

- Click START RUN, then type mmc in the provided box and hit Enter

An empty "Microsoft Management Console" should open up

- Click on File and then click on Add/Remove Snap-in (You could also use the Ctrl-M key combo as a shortcut)

- Click on Certificates and then click on the Add button in the middle of that window

- Choose "Computer Account" when prompted in the next screen, and click Next

- Make sure that "Local Computer" is selected on the current screen and click Finish

You now will see a tree of  various certificate containers

- Expand the certificates (Local Computer) tree

- Right-Click on the sub-tree named (Personal)

- Click on All Tasks from the context menu and choose Import

- Click Next on the first "Certificate Import Wizard Screen"

- Use the Browse button to navigate to the folder where you saved the exported file generated on the Apache box

Note: Make sure to expand the drop down list of filename extensions to show the (*.pfx *.p12) filenames if you don't see your file in the list (see screen cap below. Click the image to enlarge it)

- Select your exported file (combinedfile.p12 in this example) and Click Next

- Type in the password you chose during the openssl export command

- Click Next

- Choose the option to Place all current certificates in the Personal Certificate store

- You're done with the import

IIS 7.X Config

Open your IIS management Interface and select your website where the certificate is to be used by Right-Clicking its name.
- Choose Edit Bindings from the context menu 
- Click the Add button
- Select the HTTPS type from the left drop-down menu and leave the "IP Address" and "Port" options at the default unless you need to alter them to suit your needs
- Click on the Arrow-down under the "SSL Certificate" option and you should see your newly imported key/cert pair listed there.
- You should click the "View" button to visually verify that you selected the right certificate 
- Click OK
- Click Close

Done

Simple way to use the same exported key in Tomcat:

- Backup your Tomcat server.xml file on the target server first
- Open  server.xml in your favorite editor
- Add the following to you HTTPS/SSL Connector
keystoreType="pkcs12" Keystore="C:\YourPathNametoExportedFile\combinedfile.p12" keypass="ThePasswordChosenForExportKey"

Save your server.xml and restart tomcat to test it out.




Share:

0 comments:

Post a Comment