Link to home
Start Free TrialLog in
Avatar of Tyler Roy
Tyler Roy

asked on

Exporting a UCC SSL to a Windows/Apache Web Server and Configuring Apache to use

I have several different servers running web applications using a UCC SSL from GoDaddy (multiple SANs). These are all Windows servers running IIS (an ERP and MS Exchange). I need to export this same certificate to a Windows Server running Apache that functions as an intranet web server. I am having major issues with this process. I have been able to export the PFX package from the Windows Server, then extract the server.crt and server.key as well as the root certificate keys in a text file. I then separate each part and create individual files. This part works perfectly. I then add the files to an area on the Windows Apache server, and edit httpd-ssl and httpd-xampp files to include the ssl files. After this, I stop the Apache service and tried to restart. It fails to start. Only if I revert the httpd-ssl and httpd-xampp files does the Apache service start up again normally.

As a separate test attempt I created a self signed certificate on the Windows/Apache server and set up the conf files accordingly. The Apache services restarted fine in this attempt, and the webiste loaded. However the website loaded with a warning that the SSL was invalid.

I do not care if the SSL that has to be used is the GoDaddy UCC SSL or a self signed certificate. It is strictly for internal intranet use.

Can someone please help me through either one of these processes so I can get a properly working SSL on this website? Thank you!
Avatar of Zvonko
Zvonko
Flag of North Macedonia image
The web server checks itself the whole authority chain.
Do you have all certificates to the basic root authority imported?

Avatar of M A
M A
Flag of United States of America image
Hi Tyler Roy,
Please check this. This is similar discussion  with steps.
https://www.experts-exchange.com//questions/29164456/SSL-Certificate-on-Apache-Windows-OS.html
Avatar of David Favor
David Favor
Flag of United States of America image
Better to use https://LetsEncrypt.org certs, so you can generate them once + then do hands free renewals forever.

1) To generate a cert...

certbot certonly --no-self-upgrade --non-interactive --rsa-key-size 4096 --email $email --agree-tos --webroot -w $dir -d $domain -d www.$domain

Open in new window


2) To hands-free auto renew the cert forever, restarting any related services, use a CRON job...

0 1 * * * (echo '#####' && date && certbot renew --non-interactive --post-hook "service-bounce") >> /var/log/ssl-renewals.log 2>&1

Open in new window


Note: The "service-bounce" script collects together all soft reloads + hard restarts for all services which must ingest a new cert, when a cert renews.

3) For Windows, you'll use your equivalent of CRON (whatever you use).

4) You'll also change the service reload to reload/restart any service which must re-ingest a new cert when a renewal occurs.
Avatar of David Favor
David Favor
Flag of United States of America image
@Tyler, mention if you still have challenges or this has been resolved.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.