Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Generating a Certificate for Apache using a Microsoft CA

Answered Generating a Certificate for Apache using a Microsoft CA

  • Monday, November 05, 2012 10:38 PM
     
     
    Sign In to Vote
    0

    Hi Everyone, 

    I have a question regarding generating a certificate to be used by an Apache Web Service, with the certificate being generating by a Microsoft CA. 

    The Apache Web Service is part of a new service that is being introduced and is installed on a Windows Server. So far we have had the Apache service generate a key file for itself and provide a csr that can be used to generate a certificate. However, when I provide a certificate back to the web service it can't load the certificate and the apache service is unable to start. 

    I thought this may have something to do with the CSR format, as it seemed to loose some of its formatting. So I resolved this using notepad ++, however the issue still exists.

    Has anyone got some experience of this issue and know how to resolve it?

    regards

    Hendy25

     

All Replies

  • Tuesday, November 06, 2012 2:59 AM
     
     Answered
    Sign In to Vote
    0

    Hi Hendy25

    the apache or IIS the certificate MUST reside in the personal machine store of the machine , if the service fail to start I point that you install your certificate in the users store.

    here ex: on howto create manual csr

    create a Inf file content

    [Version]

    Signature="$Windows NT$"

    [NewRequest]
    Subject = "CN=www.acme.com,OU=webserver,O=Acme inc,ST=QC,C=US,DC=acme,DC=com"

    ;EncipherOnly = FALSE
    Exportable = FALSE   ; TRUE = Private key is exportable
    KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
    KeySpec = 1          ; Key Exchange – Required for encryption
    KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
    MachineKeySet = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

    RequestType = PKCS10 ; or CMC.

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; Server Authentication


    [Extensions]

    SAN="dns=srv01.acme.com&url=www.acme.com&dns=www.acme.com"

    after run the certreq cmd

    certreq -new $File.inf request.req and aftergo on the Ca and  signed the request .

    export your request signed to a .cer format

    on the apache server

    certreq -accept -machine requestSigned.cer

    restart your apache service

    hope this will help you

    Stef71


     
  • Monday, November 12, 2012 2:35 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi,

    Thanks for your post.

    Please note that the CSR can be generated in IIS on the server. If you have IIS on your server use this to generate a CSR and send to your Microsoft CA and completes the process. In addition, you can use LDAP over SSL to request certificate to Microsoft CA.

    How to enable LDAP over SSL with a third-party certification authority
    http://support.microsoft.com/kb/321051/en-us

    IIS 7.0 CSR/SSL Create and Install
    https://help.maximumasp.com/KB/a627/iis-70-csrssl-create-and-install.aspx

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Aiden Cao

    TechNet Community Support

     
  • Wednesday, November 14, 2012 5:20 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    How are things going? I just want to check if the information provided was helpful. If there is any update or concern, please feel free to let us know.

    Best Regards,
    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Aiden Cao

    TechNet Community Support

     
  • Friday, December 07, 2012 12:29 AM
     
     
    Sign In to Vote
    0

    I have since posted another question with more detail

    
    
    Here
     
  • Sunday, December 23, 2012 5:58 PM
     
     Answered
    Sign In to Vote
    0
    In another post I have listed the resolution that I found from my experience, a link to this can be found below:- http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/208d920b-b0d7-4cd2-9c0c-f051682a5a77/#2009aca5-449d-436c-9026-92d060d64d07
    • Marked As Answer by Hendy25 Sunday, December 23, 2012 5:58 PM
    •