deploying XAMPP Apache SSL Certificate across our domain network

I have recently installed XAMPP on a server with SSL configured.
I used the makecert command to create a certificate with the IP address of the server as the certificate name.

So the certificate is issued to and issued by 192.168....X.Y

The website loads find on the web server but when I try and access is from a client machine I get a certificate error because the CA root certificate is not trusted.  One option is to manually install the certificate into each client machines "Trusted Root Certification Authorities" store but this would be very difficult to manage and time consuming.

We have a CA Server in our domain. Is there an easy way to either distribute the Apache certificate across the domain or request a certificate from our Windows 2012 domain CA and install it into Apache?

Certificates issues by our domain CA Server seem to automatically be distributed across the domain - I confess I'm not sure how this happens?

Please can you advise on the best course of action?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
Self signed certs aren't usually the best choice; instead, use the MS ca to issue a cert to the xampp server; that way, you can push out the MS ca root cert via group policy and ie/edge/chrome will accept it.
EICTAuthor Commented:
Hi Dave,
Sorry for later reply I've been away.
Any idea how to get the MS ca to issue the cert to Xampp. In IIS you have the request  option which then appears in the MS ca. There seems to be no such wizards in Xampp?

Dave HoweSoftware and Hardware EngineerCommented:
there is one (and there is a standard procedure for it) but it's a command line tool that outputs a CSR as a file, and is hindering awkward. Take a look (for example) here

On the whole, I find it easier to use XCA to generate the CSR, then I can combine the PEM key, the cert and any intermediates into a single file for Apache (which CAN use a pfx file, but prefers not to)
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

EICTAuthor Commented:
Thanks. Using your link I managed to create a CSR using OpenSSL. I then submitted my CSR to my Microsoft CA using the URL http://localhost/certsrv on the CA and pasting in the CSR text. I now have a Crt which I can open and all looks ok but when I copy the crt file into the apache/conf/ssl.crt folder apache fails to start. I presume it is because the certificate is missing some info  - is this the PEM key you refer to?

How would you combine the CSR and PEM key?
EICTAuthor Commented:
I see I need to export the crt as a pfx file which will then allow me to separate the certificate and the keys.  Problem now it how do I create the pfx file without using IIS. IIS have a feature which allows me to export to pfx but I wanted to leave IIS as is.
Dave HoweSoftware and Hardware EngineerCommented:
CSR is effectively a unsigned CER file - you can give that to the CA, and it will return a CER file which, when combined with the original secret key, gives a PFX (P12 in openssl)

If you have an existing key/cert pair in IIS you can export it to PFX, import that to XCA, and re-export in any format you want.  some releases of apache CAN handle a pfx file, but most require the certs and key to be in PEM format, which XCA is a nice, easy to use gui tool to create, convert or manipulate.
EICTAuthor Commented:
Thanks Dave the steps I took were as follows. Your pointers were very helpful.
I notice a few things. I could not get the Microsoft CA to accept the request unless I created a "Domain Certificate" request in IIS.
I had to use IIS to create the cert which I could then export. There seemed to be no way of exporting the cert to PFX unless I used IIS, this option is greyed out when I try to export from the CA.

-      Create a domain certificate request in IIS
-      Export Certificate in IIS as PFX file
-      Use Open SSL to separate out the key and certificate elements as follows
-      # Export the private key from the pfx file
openssl pkcs12 -in iis.pfx -nocerts -out apache.key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in iis.pfx -clcerts -nokeys -out apache.cert.pem
# ****This removes the passphrase from the private key so Apache won’t
# ****prompt you for your passphase when it starts
openssl rsa -in apache.key.pem -out apache.key
EICTAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for Dave Howe's comment #a40943903
Assisted answer: 0 points for EICT's comment #a40943986

for the following reason:

I have also selected my own solution as it details in an easy to follow format the steps.
Dave HoweSoftware and Hardware EngineerCommented:
That would be correct.

Effectively, a CSR contains only the public half of the PFX (which is effectively a pb7 certificate store with a secret key added) hence the CA can return only a cert, or a cert chain (usually as a set of PEM files, but sometimes as a pb7)

the secret key isn't known to the CA, hence it cannot create the PFX for you. By importing what you get back from the CA into whatever tool generated the CSR in the first place, it is re-matched with the secret key, hence the PFX can be exported.

XCA is effectively a pretty, gui equivalent tool to the openssl command line tool, and can do many things for you (including creating your CSRs for fulfillment by the CA, and converting a PFX *back* into the original CSR so you can renew with a different CA).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.