You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by vk...@exemail.com.au on 2005/11/22 03:44:56 UTC
[users@httpd] Migrating from IIS to Apache - how to keep the SSL certificate?
Hi,
We are considering a migration from IIS to apache2 on a win2k server. I
got mod_ssl up and running with a self-signed sertificate but I hit the
wall when I tried to reuse our existing certificate signed from a CA.
Unfortunately this is a show stopper.
I have only a .cer file:
openssl x509 -in <hostname>.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
20:...
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=...
Validity
Not Before: ...
Not After : ...
Subject: C=...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:...
Exponent: ...
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:36:...
X509v3 Subject Key Identifier:
7D:..
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3...
CPS: https://...
X509v3 CRL Distribution Points:
URI:http://...
URI:http://...
email:...
Netscape Cert Type:
SSL Client, SSL Server
Signature Algorithm: sha1WithRSAEncryption
18:...
-----BEGIN CERTIFICATE-----
MIIF...
-----END CERTIFICATE-----
I copied the <hostname>.crt to Apache2\conf\ssl but when I started Apache
I got :
[Tue Nov 22 10:56:20 2005] [error] Init: SSLPassPhraseDialog builtin is
not supported on Win32 (key file C:/Program Files/Apache
Group/Apache2/conf/ssl/<hostname>.crt)
I do not have neither the certificate signing request not the private key
for this certificate. Is it possible to reuse it in Apache? How?
TIA
Vesselin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Migrating from IIS to Apache - how to keep the SSL certificate?
Posted by Joost de Heer <sa...@xs4all.nl>.
vk01@exemail.com.au wrote:
> Hi,
>
> We are considering a migration from IIS to apache2 on a win2k server. I
> got mod_ssl up and running with a self-signed sertificate but I hit the
> wall when I tried to reuse our existing certificate signed from a CA.
First export the IIS certificate:
- Go to the IIS manager, go to the website with the certificate and cloose
'properties'
- Go to the tab 'Directory security'
- Click on 'View certificate' in the 'secure communications' section
- Click in the new screen on the tab 'details'
- Click on 'Export to file...'
- Select 'Yes, export the private key'
- Select only the option 'enable strong protection', and enter a password
- Give a filename
- Click on 'finish'.
Now you have a p12 certificate. Copy this certificate to your Apache machine
To get the key:
openssl pkcs12 -nocerts -in [.pfx] -out certificate.key
This asks for three passwords: first one is the export password used in
the previous step, and the second/third are the private key passwords. You
can later remove the private key password with
mv certificate.key certificate.key.encrypted
openssl rsa -in certificate.key.encrypted -out certificate.key
And to generate the cer:
openssl pkcs12 -nokeys -in [.pfx] -out certificate.cer
This is probably not the fastest way, but this is the documentation I made
for my colleagues.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Migrating from IIS to Apache - how to keep the
SSL certificate?
Posted by vk...@exemail.com.au.
Got it! Procedure:
1. Export the certificate from IIS as a .pfx file: Properties of the web
site->Directory Security -> View Certificate -> Details -> Copy to file ->
Next -> Export the private key + Next -> Next -> blank password + next ->
<hostname> + next -> Finish
This creates file <hostname>.pfx with the certificate and the private key.
2. openssl pkcs12 -in <hostname>.pfx -out <hostname>.pem -nodes
3. openssl rsa -in <hostname>.pem -out <hostname>.key
<hostname>.key is the file I was after.
4. To get the "chain of trust" from the CA*.crt files supplied by the CA:
openssl x509 -in CA01.crt -text > trust_bundle.pem
openssl x509 -in CA02.crt -text >> trust_bundle.pem
openssl x509 -in CA03.crt -text >> trust_bundle.pem
...
5. httpd.conf:
<VirtualHost <hostname>:443>
servername <hostname>
SSLEngine On
SSLCACertificateFile conf/ssl/trust_bundle.pem
SSLCertificateFile conf/ssl/<hostname>.crt
SSLCertificateKeyFile conf/ssl/<hostname>.key
</VirtualHost>
I hope this will be helpful to somebody.
Regards
Vesselin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Load images
Posted by Benjamin Adams <ba...@ambrosiasw.com>.
My images have trouble loading at a good speed.
System, Mac Dual G5, apache 1.3.33
httpd.conf
-----------------------------------
RLimitNPROC max max
ExtendedStatus On
Timeout 40
KeepAlive On
MaxKeepAliveRequests 300
KeepAliveTimeout 10
MaxClients 500
MinSpareServers 5
MaxSpareServers 18
StartServers 5
MaxRequestsPerChild 10000
also running php4.3.11 and mysql 4.1 on invision power boards
php.ini
[Zend]
;zend_optimizer.optimization_level=15
zend_optimizer.optimization_level=1023
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-2.5.10
zend_optimizer.version=2.5.10
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so
zend_extension="/ea/eaccelerator-0.9.3/modules/eaccelerator.so"
eaccelerator.shm_size="64"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter="*.php *.phtml"
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="500"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="1"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
Can it be a problem running zend optimizer and eaccelerator? would
running one be better then two.
Also, is there anything I can do for performance?
Thanks
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Migrating from IIS to Apache - how to keep the
SSL certificate?
Posted by Joost de Heer <sa...@xs4all.nl>.
herauthon wrote:
> Suspicious whitespace sequence : Avast Alert
could you please fix your mail program so it won't bug us with this
useless information?
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Migrating from IIS to Apache - how to keep the SSL certificate?
Posted by herauthon <he...@home.nl>.
Suspicious whitespace sequence : Avast Alert
Sender: vk01@exemail.com.au
Recipient: users@httpd.apache.org
Subject: Re: [users@httpd] Migrating from IIS to Apache - how to keep the
SSL certificate?
----- Original Message -----
From: <vk...@exemail.com.au>
To: <us...@httpd.apache.org>
Sent: Tuesday, November 22, 2005 3:44 AM
Subject: [users@httpd] Migrating from IIS to Apache - how to keep the SSL
certificate?
> Hi,
>
> We are considering a migration from IIS to apache2 on a win2k server. I
> got mod_ssl up and running with a self-signed sertificate but I hit the
> wall when I tried to reuse our existing certificate signed from a CA.
> Unfortunately this is a show stopper.
>
> I have only a .cer file:
>
> openssl x509 -in <hostname>.crt -text
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 20:...
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=...
> Validity
> Not Before: ...
> Not After : ...
> Subject: C=...
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:...
> Exponent: ...
> X509v3 extensions:
> X509v3 Authority Key Identifier:
> keyid:36:...
>
> X509v3 Subject Key Identifier:
> 7D:..
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
> X509v3 Basic Constraints: critical
> CA:FALSE
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
Authentication
> X509v3 Certificate Policies:
> Policy: 1.3...
> CPS: https://...
>
> X509v3 CRL Distribution Points:
> URI:http://...
> URI:http://...
> email:...
>
> Netscape Cert Type:
> SSL Client, SSL Server
> Signature Algorithm: sha1WithRSAEncryption
> 18:...
> -----BEGIN CERTIFICATE-----
> MIIF...
> -----END CERTIFICATE-----
>
> I copied the <hostname>.crt to Apache2\conf\ssl but when I started Apache
> I got :
>
> [Tue Nov 22 10:56:20 2005] [error] Init: SSLPassPhraseDialog builtin is
> not supported on Win32 (key file C:/Program Files/Apache
> Group/Apache2/conf/ssl/<hostname>.crt)
>
> I do not have neither the certificate signing request not the private key
> for this certificate. Is it possible to reuse it in Apache? How?
>
> TIA
>
> Vesselin
>
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org