SSL Wildcard Certificates with Apache and IIS

I have a GoDaddy wildcard ssl certificate which I use to secure my Apache\Tomcat webserver. The cert was created with a key generated by the Apache\TomCat server. I now want to use that same certificate on my Outlook Web Access server in IIS 6.0. I have imported the key into the OWA server's certificate store and I am able to import it into IIS using the Use and Existing Key option. After I import the key I cannot get OWA to work. The problem I think is that the OWA is on a different Public IP than what the Apache server is. The Apache is on Puvlic IP x.x.x.50 and the OWA is on x.x.x.52. Can this be the cause?
lbothaAsked:
Who is Participating?
 
nociConnect With a Mentor Software EngineerCommented:
the normal way would be:

Create a CSR (=public key + some info for identification),
get it signed by a CA that you (and your customers...) trust.
import the signed public key (=certificate) in the system that created the CSR.

Then export the pkcs#11 certificate  (.pfx file ) WITH the private key.
Import the pkcs#11 into the intended web server.

The private key is used to encrypt a session key while the public key + certificate is sent to the client to verify the server. The session key can be decrypted using the certificate. etc.... (with certificate authentication this is done both ways at the same time.

So with importing the .cert file only you are still missing the private key that was generated together with the CSR.
0
 
markpalinuxCommented:

SSL certificates are typically not tied to an IP address.  you should able to use the cert for OWA and Apache, just be sure that neither one is trying to use the same IP:Port as the other.  In IIS you may have to tell it not to attempt using all unassigned ips, you should tell it which ip to use.

Did the certificate import properly , I remember a while back changing an apache to an iis cert a had to install openssl and use some cmd line switches to get the thing to import - this is from my blog:
http://markslinuxblog.blogspot.com/2007/08/openssl-tips-and-tricks.html
Openssl tips and tricks
convert an apache type ssl cert to IIS:

openssl pkcs12 -export -in myssl.crt -inkey myssl.key -out myssl.p12

you will be prompted for the password.
0
 
nociSoftware EngineerCommented:
Ssl certificates are bound to DNS or EMAIL names (through their subject)
depending on their use.

What happens is this:
You start browsing a server: you get a URL (https://x.example.com/)
you browser requests the ip adress of x.example.com , say 192.168.1.1
you connect to port 443 on 192.168.1.1, that gives you a SSL certificate with a certain subject & some signing authority (whatever YOU trust as such).
(or YOU trust mozilla/microsoft/opera/.../ to make the RIGHT choice)...
The signing is verified (including date stamps) and the CA is looked up in the trusted certificate store.
After that the original hostname from the URL is compared to the subject.
It must either match the whole name or if the subject starts with a *, the remainder of the subject MUST match the end of the hostname:

so a Certificate subject of   y.example.com would fail this test
and a subject of *.example.com would pass the test.

Because this SSL verifycation is done BEFORE any data exchange, you can only setup multisite hosting using such a wildcard certificate and only for one domain per address/port pair.

Handling of certificates on windows mostly requires you to export/import data using the pkcs#11 format (.pfx) file. Using an export ensure that the private key is exported together with the certificate.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
lbothaAuthor Commented:
Since it is a GoDaddy certificate, I do not need to convert it as I can just download the IIS version of the certificate. I then proceed to import the Intermediate certificate into the Computer's Intermediate store and than also import the *.cert certificate into the Computer's Personal store. If I than go to IIS and enable SSL on the default website using the imported *.cert ssl certificate, OWA stops working. Am I doing it completely wrong, or am I being stupid?
0
 
lbothaAuthor Commented:
Can you maybe give me a guide on how to achieve this? I am not familiar with Apache\TomCat.
0
 
nociSoftware EngineerCommented:
Apache can be done, I don't know a lot on tomcat yet.
First you say Apache generated a key how do you mean that... (what steps did you follow for that).. (URL of the description can suffice).
0
 
markpalinuxCommented:

Most of the time in windows your export the certificate and private key when moving it to another application of another server.

In most unix systems there are two separate files one for the certificate and another for the key.

You should be able to use the single wildcard certificate/key for both IIS and Apache/Tomcat.  ( again seperate IP:Ports are required )

Tomcat is Java based thus it will not use a certificate from the Windows Computer Personal store - for Java the cert and key need to be in a Java keystore.

The Java keystore has its own management utilities - look at the link below.

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Mark
0
All Courses

From novice to tech pro — start learning today.