SSL Wildcard Certificates with Apache and IIS

I have a GoDaddy wildcard ssl certificate which I use to secure my Apache\Tomcat webserver. The cert was created with a key generated by the Apache\TomCat server. I now want to use that same certificate on my Outlook Web Access server in IIS 6.0. I have imported the key into the OWA server's certificate store and I am able to import it into IIS using the Use and Existing Key option. After I import the key I cannot get OWA to work. The problem I think is that the OWA is on a different Public IP than what the Apache server is. The Apache is on Puvlic IP x.x.x.50 and the OWA is on x.x.x.52. Can this be the cause?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


SSL certificates are typically not tied to an IP address.  you should able to use the cert for OWA and Apache, just be sure that neither one is trying to use the same IP:Port as the other.  In IIS you may have to tell it not to attempt using all unassigned ips, you should tell it which ip to use.

Did the certificate import properly , I remember a while back changing an apache to an iis cert a had to install openssl and use some cmd line switches to get the thing to import - this is from my blog:
Openssl tips and tricks
convert an apache type ssl cert to IIS:

openssl pkcs12 -export -in myssl.crt -inkey myssl.key -out myssl.p12

you will be prompted for the password.
nociSoftware EngineerCommented:
Ssl certificates are bound to DNS or EMAIL names (through their subject)
depending on their use.

What happens is this:
You start browsing a server: you get a URL (
you browser requests the ip adress of , say
you connect to port 443 on, that gives you a SSL certificate with a certain subject & some signing authority (whatever YOU trust as such).
(or YOU trust mozilla/microsoft/opera/.../ to make the RIGHT choice)...
The signing is verified (including date stamps) and the CA is looked up in the trusted certificate store.
After that the original hostname from the URL is compared to the subject.
It must either match the whole name or if the subject starts with a *, the remainder of the subject MUST match the end of the hostname:

so a Certificate subject of would fail this test
and a subject of * would pass the test.

Because this SSL verifycation is done BEFORE any data exchange, you can only setup multisite hosting using such a wildcard certificate and only for one domain per address/port pair.

Handling of certificates on windows mostly requires you to export/import data using the pkcs#11 format (.pfx) file. Using an export ensure that the private key is exported together with the certificate.
lbothaAuthor Commented:
Since it is a GoDaddy certificate, I do not need to convert it as I can just download the IIS version of the certificate. I then proceed to import the Intermediate certificate into the Computer's Intermediate store and than also import the *.cert certificate into the Computer's Personal store. If I than go to IIS and enable SSL on the default website using the imported *.cert ssl certificate, OWA stops working. Am I doing it completely wrong, or am I being stupid?
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

nociSoftware EngineerCommented:
the normal way would be:

Create a CSR (=public key + some info for identification),
get it signed by a CA that you (and your customers...) trust.
import the signed public key (=certificate) in the system that created the CSR.

Then export the pkcs#11 certificate  (.pfx file ) WITH the private key.
Import the pkcs#11 into the intended web server.

The private key is used to encrypt a session key while the public key + certificate is sent to the client to verify the server. The session key can be decrypted using the certificate. etc.... (with certificate authentication this is done both ways at the same time.

So with importing the .cert file only you are still missing the private key that was generated together with the CSR.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lbothaAuthor Commented:
Can you maybe give me a guide on how to achieve this? I am not familiar with Apache\TomCat.
nociSoftware EngineerCommented:
Apache can be done, I don't know a lot on tomcat yet.
First you say Apache generated a key how do you mean that... (what steps did you follow for that).. (URL of the description can suffice).

Most of the time in windows your export the certificate and private key when moving it to another application of another server.

In most unix systems there are two separate files one for the certificate and another for the key.

You should be able to use the single wildcard certificate/key for both IIS and Apache/Tomcat.  ( again seperate IP:Ports are required )

Tomcat is Java based thus it will not use a certificate from the Windows Computer Personal store - for Java the cert and key need to be in a Java keystore.

The Java keystore has its own management utilities - look at the link below.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java App Servers

From novice to tech pro — start learning today.