Moving/Copying SSL Certs from IIS to Apache

Argomenti vari di carattere sistemistico
Post Reply
daniele
Posts: 342
Joined: 04 Mar 2009, 13:59

Moving/Copying SSL Certs from IIS to Apache

Post by daniele »

In Windows:
occorre esportare il certificato su un file con estensione .PFX
Il file conterrà il certificato E la chiave privata: è importante conservare al sicuro questo file.
Questa procedura è indicata anche per effettuare il backup della chiave privata e il certificato
Nella procedura di esportazione occorre prestare estrema attenzione a NON SEGNARE IL CAMPO DI ELIMINAZIONE DELLA CHIAVE PRIVATA DOPO L'ESPORTAZIONE.

Procedura per l'esportazione:
* Run mmc.exe
* Click the 'Console' menu and then click 'Add/Remove Snap-in'.
* Click the 'Add' button and then choose the 'certificates' snap-in and click on 'Add'.
* Select 'Computer Account' then click 'Next'.
* Select 'Local Computer' and then click 'OK'.
* Click 'Close' and then click 'OK'.
* Expand the menu for 'Certificates' and click on the 'Personal' folder.
* Right click on the certificate that you want to export and select 'All tasks' -> 'Export'.
* A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.


Su Linux/Apache, questi sono i passaggi per l'importazione di chiave privata e certificato:

# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key


ADDENDUM DEL 22/12/2011
1. Export IIS6 certificate into into .pfx format
On Windows Server machine
- Start > Run MMC
- File > Add/Remove Snap-in
- Add > Certificates > Add > Computer Account > Local Computer
Navigate to Certificates > Personal > Certificates
- Right click your certificate > All Tasks > Export
- Yes, export private key
Personal Information Exchange (.pfx) - clear all checkboxes
leave password blank (dovrai digitare una password, es.: 1234)
- Choose where to save file
- Finish

2 . Extract private key and certificate file
Copiare la chiave esportata su un Linux che abbia la libreria Openssl installata
(va bene anche una macchina Windows con OpenSsl installato)
Apri una sessione terminal e vai sulla directory dove hai salvato il certificato .pfx esportato e digita:
openssl pkcs12 -in "/home/utente/filename.pfx" -out "/home/utente/cert.pem"
Enter Import Password: metti la stessa password usata in Windows (1234)
Enter PEM pass phrase: 1234 (or anything else). L'ultima volta ho usato 1234

Created cert.pem file will have encrypted private key and all certificates (identity, root, intermediate) in a plain text.
To extract certificates or encrypted private key just open cert.pem in a text editor and copy required parts to a new .crt or .key file. If formatting doesn't look right in Windows notepad use Notepad++ or similar text editor.

If you need private key in not encrypted format you can extract it from cert.pem removing encryption:
openssl rsa -in "/home/utente/cert.pem" -out "/home/utente/PrivateKey.key"
Enter pass phrase (1234 or somethinkg else you set previously) to remove encryption.
Post Reply