The default location of the certs and private keys on RHEL and its variant distributions like CentOS is usually in the /etc/pki/tls folder and its sub folders So you'll need to copy the two files to a temporary folder to combine them using openssl or run the command openssl command while providing the full path to those two files (yourservercertificate.crt and yourserverkey.key).
Example export performed on a Linux box
Note: Make sure you execute the following command as superuser:
openssl pkcs12 -export -out /tmp/combinedfile.p12 -inkey /etc/pki/tls/private/yourserver.key -in /etc/pki/tls/certs/yourservercertificate.crt
Hit the enter key to execute the command. You will be prompted for a password to protect the resulting p12 file. It's entirely up to you to enter a password or not, but it's a good idea to go ahead and do so. You don't want someone else to get a hold of your unencrypted key and assume your server(s) identity.
This command will output the combinedfile.p12 in your /tmp folder. You need to copy this file over to the IIS server for import.
- Click START > RUN, then type mmc in the provided box and hit Enter
An empty "Microsoft Management Console" should open up
- Click on File and then click on Add/Remove Snap-in (You could also use the Ctrl-M key combo as a shortcut)
- Click on Certificates and then click on the Add button in the middle of that window
- Choose "Computer Account" when prompted in the next screen, and click Next
- Make sure that "Local Computer" is selected on the current screen and click Finish
You now will see a tree of various certificate containers
- Expand the certificates (Local Computer) tree
- Right-Click on the sub-tree named (Personal)
- Click on All Tasks from the context menu and choose Import
- Click Next on the first "Certificate Import Wizard Screen"
- Use the Browse button to navigate to the folder where you saved the exported file generated on the Apache box
Note: Make sure to expand the drop down list of filename extensions to show the (*.pfx *.p12) filenames if you don't see your file in the list (see screen cap below. Click the image to enlarge it)
- Select your exported file (combinedfile.p12 in this example) and Click Next
- Type in the password you chose during the openssl export command
- Click Next
- Choose the option to Place all current certificates in the Personal Certificate store
- You're done with the import
Hit the enter key to execute the command. You will be prompted for a password to protect the resulting p12 file. It's entirely up to you to enter a password or not, but it's a good idea to go ahead and do so. You don't want someone else to get a hold of your unencrypted key and assume your server(s) identity.
This command will output the combinedfile.p12 in your /tmp folder. You need to copy this file over to the IIS server for import.
On the Windows IIS server side:
Run the following with admin privileges:- Click START > RUN, then type mmc in the provided box and hit Enter
An empty "Microsoft Management Console" should open up
- Click on File and then click on Add/Remove Snap-in (You could also use the Ctrl-M key combo as a shortcut)
- Click on Certificates and then click on the Add button in the middle of that window
- Choose "Computer Account" when prompted in the next screen, and click Next
- Make sure that "Local Computer" is selected on the current screen and click Finish
You now will see a tree of various certificate containers
- Expand the certificates (Local Computer) tree
- Right-Click on the sub-tree named (Personal)
- Click on All Tasks from the context menu and choose Import
- Click Next on the first "Certificate Import Wizard Screen"
- Use the Browse button to navigate to the folder where you saved the exported file generated on the Apache box
Note: Make sure to expand the drop down list of filename extensions to show the (*.pfx *.p12) filenames if you don't see your file in the list (see screen cap below. Click the image to enlarge it)
 |
- Type in the password you chose during the openssl export command
- Click Next
- Choose the option to Place all current certificates in the Personal Certificate store
- You're done with the import
IIS 7.X Config
Open your IIS management Interface and select your website where the certificate is to be used by Right-Clicking its name.
- Choose Edit Bindings from the context menu
- Click the Add button
- Select the HTTPS type from the left drop-down menu and leave the "IP Address" and "Port" options at the default unless you need to alter them to suit your needs
- Click on the Arrow-down under the "SSL Certificate" option and you should see your newly imported key/cert pair listed there.
- You should click the "View" button to visually verify that you selected the right certificate
- Click OK
- Click Close
Done
Simple way to use the same exported key in Tomcat:
- Backup your Tomcat server.xml file on the target server first
- Open server.xml in your favorite editor
- Add the following to you HTTPS/SSL Connector
keystoreType="pkcs12" Keystore="C:\YourPathNametoExportedFile\combinedfile.p12" keypass="ThePasswordChosenForExportKey"
Save your server.xml and restart tomcat to test it out.
0 comments:
Post a Comment