Sep 24 2016

Reuse Exchange Certificate on Apache Web Server

Published by at 4:21 pm under Security




While generating a Microsoft Exchange/IIS certificate, take the opportunity to add extra domain names and reuse it on Apache web server. This will save you a few bucks and time, unless the CA provides a certificate for multiple platforms.
First off, copy the pfx file generated with Exchange on the Apache web server. The pfx file is in PKCS#12 format that contains a certificate and its private key.
 
Extract the private key

openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

Extract the certificate

openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

Process the RSA key

openssl rsa -in key.pem -out cert.key

 
Move the certificate and private key to the appropriate directories (I’m on Linux Redhat)

mv cert.pem /etc/pki/tls/certs/
mv cert.key /etc/pki/tls/private/
chmod 600 /etc/pki/tls/private/cert.key

Failing to run chmod leads to an Apache error on restart.
 
If selinux is enabled, run

restorecon -RvF /etc/pki

to restore the proper rights on the new files, or you will get the following error message:
[error] (13)Permission denied: Init: Can’t open server certificate file /etc/pki/tls/certs/cert.pem
 
Declare the new certificate in the Apache virtual host configuration file:
SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/cert.key
 
And apply changes:

/etc/init.d/httpd reload

 
Now you have the same certificate on Exchange and the web server.
Check with your certification authority beforehand, they may provide multiple format certificates for different piece of software, saving you the hassle of running these commands.


No responses yet

Trackback URI | Comments RSS

Leave a Reply