I'm running Mahara in a Windows Server 2008 environment using Apache web server and just for fun I wanted to enable SSL :-).
I setup SSL and tested the setup using a self-signed certificate, all good, SSL was working.
I requested a server certificate from our corporate CA, which is an intermediate CA for GlobalSign, this was done using an online MS certificate server service.
When the certificate was ready, I revisit the site, and the certificate is installed automagically into the current user certificate store.
Okay, so now I have a SSL certificate stored in the Windows certificate store, but I want to use it with Apache, so I sort of need to blend the MS way of doing things with the Apache way of doing things.
Here is what I did once I had the proper certificate.
First of I needed to export the certificate from the current users certificate store so it can be used by Apache, to do this.
-
Fire up an MMC console, and add a certificate snap-in, selecting My users account
-
Once opened, browse to the new certificate
-
Right click on it and export
-
Select, Yes, export the private key
-
Select, Include all certificates in the certification path if possible and Export all extended properties
-
Enter a password <importprivatekeypassword> and confirm
-
An then enter a descriptive filename, I used "newcert-19-05-2012-with-privte-key.pfx"
Next I need to convert the certificate to something Apache understands, and at the same time export the private key. Apache needs the private key in a separate file when running on Windows.
I copied "newcert-19-05-2012-with-privte-key.pfx" to the same folder openssl.exe is located, c:\web\apache\bin, just to make it easier.
I start an elevated command prompt
CD to the folder where openssl.exe is located
Run openssl and I get the OpenSSL> prompt.
Now I'm going to run the following commands
-
To export the private key file from the pfx file
-
To export the certificate file from the pfx file
-
To remove the passphrase from the private key
This is what it looked like at the OpenSSL> prompt
OpenSSL> pkcs12 -in newcert-19-04-2012-with-privte-key.pfx -nocerts -out key.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
OpenSSL> pkcs12 -in newcert-19-04-2012-with-privte-key.pfx -clcerts -nokeys -out cert.pem
Enter Import Password:
MAC verified OK
OpenSSL> rsa -in key.pem -out server.key
Enter pass phrase for key.pem:
writing RSA key
OpenSSL>
Now I have a server certificate "cert.pem", and a key file, "server.key"
I copied these to where I'm storing my certificate files, c:\web\apache\cert
Next updat httpd-ssl.conf...
SSLCertificateFile "c:/web/apache/cert/cert.pem"
SSLCertificateKeyFile "c:/web/apache/cert/server.key "
Restart Apache
At this point the certificate worked, sort of...
It was fine in Mozilla Firefox, but Internet Explorer couldn't see the certificate chain.
To fix this I had to download the CA chain from the same server the certificate was requested, an then extract each of the 4 certificates in the certificate chain. All the guides I read said I need the certificates as Base-64, and to use the Unix CAT command to copy them to the one file. I tried doing this with a standard text editor, but that didn't work, I ended up using the DOS (Windows?) TYPE command.
So download the CA chain file
Double click on the CA chain file, and then drill down to the CA and intermediate certificates
Right click on each of the certificates starting from the top level certificate and export them as Base-64 encoded X.509 (.CER) files
I exported them as cert1.cer, cert2.cer, cert3.cer, cert4.cer
Now concatenate the certificates into one file using the "type" command
C:>Type cert1.cer cert2.cer cert3.cer cert4.cer >server-ca.crt
Then I copied "server-ca.crt" to my certificate folder, c:\web\apache\cert
Update httpd-ssl.conf
SSLCertificateChainFile "C:/web/apache/cert/server-ca.crt"
Restart Apache
Test, all good...
Hope this helps someone, or me if I try to do this again :-)...