Sep 24 2016

Reuse PFX Exchange / IIS Certificate on Apache Web Server

Published by at 4:21 pm under Apache,Exchange,Mail

While generating a Microsoft Exchange (or IIS web server) certificate, take the opportunity to add extra domain names and reuse it on Apache web servers. This will save you a few bucks and time, unless the CA provides a certificate for multiple platforms.

PFX certificate on Apache
Mmh30 / Pixabay

PFX is a popular exchange format on Microsoft software such as Exchange or IIS. It is a PKCS#12 archive file that contains a certificate and the matching private key. It could also include other things like the CA certificate.
First off, copy the pfx file generated with Exchange on the web server where you should have all the tools that you need to extract and import the PFX certificate on Apache.

Extract Cert and Key from the PFX File

Extract the private key from the PFX. Enter the password if asked.

openssl pkcs12 -in cert.pfx -nocerts -out enc.key -nodes

Now, extract the certificate

openssl pkcs12 -in cert.pfx -nokeys -out cert.crt

And finally, decrypt the private key

openssl rsa -in enc.key -out dec.key

Import Cert and Key into Apache

Move certificate and private key to Apache appropriate directories (I’m on Linux Redhat), and give proper permissions

mv cert.crt /etc/pki/tls/certs/
mv dec.key /etc/pki/tls/private/
chmod 600 /etc/pki/tls/private/dec.key

Failing to run chmod leads to an Apache error on restart.
If selinux is enabled on your web server, run

restorecon -RvF /etc/pki

This will restore the proper permissions on the new files you just copied over. You will get the following error message if you don’t:
[error] (13)Permission denied: Init: Can’t open server certificate file /etc/pki/tls/certs/dec.key
Declare the new certificate in the Apache virtual host configuration file:
SSLCertificateFile /etc/pki/tls/certs/cert.crt
SSLCertificateKeyFile /etc/pki/tls/private/dec.key

And reload the daemon to apply changes:

/etc/init.d/httpd reload

Now you have the same certificate on Exchange (or IIS in a PFX archive) and Apache web server. The certificate could be used on other web servers such as Nginx for instance.

Also check with your certification authority beforehand. They may provide multiple certificate formats for different pieces of software, saving you the hassle of running these commands.

No responses yet

Trackback URI | Comments RSS

Leave a Reply