I'm running Mahara in a Windows Server 2008 environment using Apache web server and just for fun I wanted to enable SSL :-).

 

I setup SSL and tested the setup using a self-signed certificate, all good, SSL was working.

I requested a server certificate from our corporate CA, which is an intermediate CA for GlobalSign, this was done using an online MS certificate server service.

When the certificate was ready, I revisit the site, and the certificate is installed automagically into the current user certificate store.

 

Okay, so now I have a SSL certificate stored in the Windows certificate store, but I want to use it with Apache, so I sort of need to blend the MS way of doing things with the Apache way of doing things.

 

Here is what I did once I had the proper certificate.

 

First of I needed to export the certificate from the current users certificate store so it can be used by Apache, to do this.

  • Fire up an MMC console, and add a certificate snap-in, selecting My users account
  • Once opened, browse to the new certificate
  • Right click on it and export
  • Select, Yes, export the private key
  • Select, Include all certificates in the certification path if possible and Export all extended properties
  • Enter a password <importprivatekeypassword> and confirm
  • An then enter a descriptive filename, I used "newcert-19-05-2012-with-privte-key.pfx"

 

Next I need to convert the certificate to something Apache understands, and at the same time export the private key. Apache needs the private key in a separate file when running on Windows.

I copied "newcert-19-05-2012-with-privte-key.pfx" to the same folder openssl.exe is located, c:\web\apache\bin, just to make it easier.

I start an elevated command prompt

CD to the folder where openssl.exe is located

Run openssl and I get the OpenSSL> prompt.

Now I'm going to run the following commands

  • To export the private key file from the pfx file
    • pkcs12 -in newcert-19-04-2012-with-privte-key.pfx -nocerts -out key.pem
  • To export the certificate file from the pfx file
    • pkcs12 -in newcert-19-04-2012-with-privte-key.pfx -clcerts -nokeys -out cert.pem
  • To remove the passphrase from the private key
    • rsa -in key.pem -out server.key

 

This is what it looked like at the OpenSSL> prompt

OpenSSL> pkcs12 -in newcert-19-04-2012-with-privte-key.pfx -nocerts -out key.pem

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

OpenSSL> pkcs12 -in newcert-19-04-2012-with-privte-key.pfx -clcerts -nokeys -out cert.pem

Enter Import Password:

MAC verified OK

OpenSSL> rsa -in key.pem -out server.key

Enter pass phrase for key.pem:

writing RSA key

OpenSSL>

 

Now I have a server certificate "cert.pem", and a key file, "server.key"

I copied these to where I'm storing my certificate files, c:\web\apache\cert

 

Next updat httpd-ssl.conf...

SSLCertificateFile "c:/web/apache/cert/cert.pem"

SSLCertificateKeyFile "c:/web/apache/cert/server.key "

Restart Apache

 

At this point the certificate worked, sort of...

It was fine in Mozilla Firefox, but Internet Explorer couldn't see the certificate chain.

 

To fix this I had to download the CA chain from the same server the certificate was requested, an then extract each of the 4 certificates in the certificate chain. All the guides I read said I need the certificates as Base-64, and to use the Unix CAT command to copy them to the one file. I tried doing this with a standard text editor, but that didn't work, I ended up using the DOS (Windows?) TYPE command.

 

So download the CA chain file

Double click on the CA chain file, and then drill down to the CA and intermediate certificates

Right click on each of the certificates starting from the top level certificate and export them as Base-64 encoded X.509 (.CER) files

I exported them as cert1.cer, cert2.cer, cert3.cer, cert4.cer

Now concatenate the certificates into one file using the "type" command

C:>Type cert1.cer cert2.cer cert3.cer cert4.cer >server-ca.crt

Then I copied "server-ca.crt" to my certificate folder, c:\web\apache\cert

 

Update httpd-ssl.conf

SSLCertificateChainFile "C:/web/apache/cert/server-ca.crt"

Restart Apache

 

Test, all good...

 

Hope this helps someone, or me if I try to do this again :-)...