deploying XAMPP Apache SSL Certificate across our domain network
I have recently installed XAMPP on a server with SSL configured.
I used the makecert command to create a certificate with the IP address of the server as the certificate name.
So the certificate is issued to and issued by 192.168....X.Y
The website loads find on the web server but when I try and access is from a client machine I get a certificate error because the CA root certificate is not trusted. One option is to manually install the certificate into each client machines "Trusted Root Certification Authorities" store but this would be very difficult to manage and time consuming.
We have a CA Server in our domain. Is there an easy way to either distribute the Apache certificate across the domain or request a certificate from our Windows 2012 domain CA and install it into Apache?
Certificates issues by our domain CA Server seem to automatically be distributed across the domain - I confess I'm not sure how this happens?
Please can you advise on the best course of action?
Thanks
I used the makecert command to create a certificate with the IP address of the server as the certificate name.
So the certificate is issued to and issued by 192.168....X.Y
The website loads find on the web server but when I try and access is from a client machine I get a certificate error because the CA root certificate is not trusted. One option is to manually install the certificate into each client machines "Trusted Root Certification Authorities" store but this would be very difficult to manage and time consuming.
We have a CA Server in our domain. Is there an easy way to either distribute the Apache certificate across the domain or request a certificate from our Windows 2012 domain CA and install it into Apache?
Certificates issues by our domain CA Server seem to automatically be distributed across the domain - I confess I'm not sure how this happens?
Please can you advise on the best course of action?
Thanks
Dave Howe
Self signed certs aren't usually the best choice; instead, use the MS ca to issue a cert to the xampp server; that way, you can push out the MS ca root cert via group policy and ie/edge/chrome will accept it.
ASKER
Hi Dave,
Sorry for later reply I've been away.
Any idea how to get the MS ca to issue the cert to Xampp. In IIS you have the request option which then appears in the MS ca. There seems to be no such wizards in Xampp?
Thanks
Sorry for later reply I've been away.
Any idea how to get the MS ca to issue the cert to Xampp. In IIS you have the request option which then appears in the MS ca. There seems to be no such wizards in Xampp?
Thanks
there is one (and there is a standard procedure for it) but it's a command line tool that outputs a CSR as a file, and is hindering awkward. Take a look (for example) here
On the whole, I find it easier to use XCA to generate the CSR, then I can combine the PEM key, the cert and any intermediates into a single file for Apache (which CAN use a pfx file, but prefers not to)
On the whole, I find it easier to use XCA to generate the CSR, then I can combine the PEM key, the cert and any intermediates into a single file for Apache (which CAN use a pfx file, but prefers not to)
ASKER
Thanks. Using your link I managed to create a CSR using OpenSSL. I then submitted my CSR to my Microsoft CA using the URL http://localhost/certsrv on the CA and pasting in the CSR text. I now have a Crt which I can open and all looks ok but when I copy the crt file into the apache/conf/ssl.crt folder apache fails to start. I presume it is because the certificate is missing some info - is this the PEM key you refer to?
How would you combine the CSR and PEM key?
How would you combine the CSR and PEM key?
ASKER
I see I need to export the crt as a pfx file which will then allow me to separate the certificate and the keys. Problem now it how do I create the pfx file without using IIS. IIS have a feature which allows me to export to pfx but I wanted to leave IIS as is.
CSR is effectively a unsigned CER file - you can give that to the CA, and it will return a CER file which, when combined with the original secret key, gives a PFX (P12 in openssl)
If you have an existing key/cert pair in IIS you can export it to PFX, import that to XCA, and re-export in any format you want. some releases of apache CAN handle a pfx file, but most require the certs and key to be in PEM format, which XCA is a nice, easy to use gui tool to create, convert or manipulate.
If you have an existing key/cert pair in IIS you can export it to PFX, import that to XCA, and re-export in any format you want. some releases of apache CAN handle a pfx file, but most require the certs and key to be in PEM format, which XCA is a nice, easy to use gui tool to create, convert or manipulate.
ASKER
Thanks Dave the steps I took were as follows. Your pointers were very helpful.
I notice a few things. I could not get the Microsoft CA to accept the request unless I created a "Domain Certificate" request in IIS.
I had to use IIS to create the cert which I could then export. There seemed to be no way of exporting the cert to PFX unless I used IIS, this option is greyed out when I try to export from the CA.
- Create a domain certificate request in IIS
- Export Certificate in IIS as PFX file
- Use Open SSL to separate out the key and certificate elements as follows
- # Export the private key from the pfx file
openssl pkcs12 -in iis.pfx -nocerts -out apache.key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in iis.pfx -clcerts -nokeys -out apache.cert.pem
# ****This removes the passphrase from the private key so Apache won’t
# ****prompt you for your passphase when it starts
openssl rsa -in apache.key.pem -out apache.key
I notice a few things. I could not get the Microsoft CA to accept the request unless I created a "Domain Certificate" request in IIS.
I had to use IIS to create the cert which I could then export. There seemed to be no way of exporting the cert to PFX unless I used IIS, this option is greyed out when I try to export from the CA.
- Create a domain certificate request in IIS
- Export Certificate in IIS as PFX file
- Use Open SSL to separate out the key and certificate elements as follows
- # Export the private key from the pfx file
openssl pkcs12 -in iis.pfx -nocerts -out apache.key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in iis.pfx -clcerts -nokeys -out apache.cert.pem
# ****This removes the passphrase from the private key so Apache won’t
# ****prompt you for your passphase when it starts
openssl rsa -in apache.key.pem -out apache.key
ASKER
I've requested that this question be closed as follows:
Accepted answer: 500 points for Dave Howe's comment #a40943903
Assisted answer: 0 points for EICT's comment #a40943986
for the following reason:
I have also selected my own solution as it details in an easy to follow format the steps.
Accepted answer: 500 points for Dave Howe's comment #a40943903
Assisted answer: 0 points for EICT's comment #a40943986
for the following reason:
I have also selected my own solution as it details in an easy to follow format the steps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.