none
Generating a Certificate for Apache using a Microsoft CA RRS feed

  • Question

  • Hi Everyone, 

    I have a question regarding generating a certificate to be used by an Apache Web Service, with the certificate being generating by a Microsoft CA. 

    The Apache Web Service is part of a new service that is being introduced and is installed on a Windows Server. So far we have had the Apache service generate a key file for itself and provide a csr that can be used to generate a certificate. However, when I provide a certificate back to the web service it can't load the certificate and the apache service is unable to start. 

    I thought this may have something to do with the CSR format, as it seemed to loose some of its formatting. So I resolved this using notepad ++, however the issue still exists.

    Has anyone got some experience of this issue and know how to resolve it?

    regards

    Hendy25

    Monday, November 5, 2012 10:38 PM

Answers

  • Hi Hendy25

    the apache or IIS the certificate MUST reside in the personal machine store of the machine , if the service fail to start I point that you install your certificate in the users store.

    here ex: on howto create manual csr

    create a Inf file content

    [Version]

    Signature="$Windows NT$"

    [NewRequest]
    Subject = "CN=www.acme.com,OU=webserver,O=Acme inc,ST=QC,C=US,DC=acme,DC=com"

    ;EncipherOnly = FALSE
    Exportable = FALSE   ; TRUE = Private key is exportable
    KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
    KeySpec = 1          ; Key Exchange – Required for encryption
    KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
    MachineKeySet = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

    RequestType = PKCS10 ; or CMC.

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; Server Authentication


    [Extensions]

    SAN="dns=srv01.acme.com&url=www.acme.com&dns=www.acme.com"

    after run the certreq cmd

    certreq -new $File.inf request.req and aftergo on the Ca and  signed the request .

    export your request signed to a .cer format

    on the apache server

    certreq -accept -machine requestSigned.cer

    restart your apache service

    hope this will help you

    Stef71


    Tuesday, November 6, 2012 2:59 AM
  • Hi,

    Thanks for your post.

    Please note that the CSR can be generated in IIS on the server. If you have IIS on your server use this to generate a CSR and send to your Microsoft CA and completes the process. In addition, you can use LDAP over SSL to request certificate to Microsoft CA.

    How to enable LDAP over SSL with a third-party certification authority
    http://support.microsoft.com/kb/321051/en-us

    IIS 7.0 CSR/SSL Create and Install
    https://help.maximumasp.com/KB/a627/iis-70-csrssl-create-and-install.aspx

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    Monday, November 12, 2012 2:35 AM
    Moderator
  • In another post I have listed the resolution that I found from my experience, a link to this can be found below:- http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/208d920b-b0d7-4cd2-9c0c-f051682a5a77/#2009aca5-449d-436c-9026-92d060d64d07
    • Marked as answer by Hendy25 Sunday, December 23, 2012 5:58 PM
    Sunday, December 23, 2012 5:58 PM

All replies

  • Hi Hendy25

    the apache or IIS the certificate MUST reside in the personal machine store of the machine , if the service fail to start I point that you install your certificate in the users store.

    here ex: on howto create manual csr

    create a Inf file content

    [Version]

    Signature="$Windows NT$"

    [NewRequest]
    Subject = "CN=www.acme.com,OU=webserver,O=Acme inc,ST=QC,C=US,DC=acme,DC=com"

    ;EncipherOnly = FALSE
    Exportable = FALSE   ; TRUE = Private key is exportable
    KeyLength = 2048     ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
    KeySpec = 1          ; Key Exchange – Required for encryption
    KeyUsage = 0xA0      ; Digital Signature, Key Encipherment
    MachineKeySet = True
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

    RequestType = PKCS10 ; or CMC.

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; Server Authentication


    [Extensions]

    SAN="dns=srv01.acme.com&url=www.acme.com&dns=www.acme.com"

    after run the certreq cmd

    certreq -new $File.inf request.req and aftergo on the Ca and  signed the request .

    export your request signed to a .cer format

    on the apache server

    certreq -accept -machine requestSigned.cer

    restart your apache service

    hope this will help you

    Stef71


    Tuesday, November 6, 2012 2:59 AM
  • Hi,

    Thanks for your post.

    Please note that the CSR can be generated in IIS on the server. If you have IIS on your server use this to generate a CSR and send to your Microsoft CA and completes the process. In addition, you can use LDAP over SSL to request certificate to Microsoft CA.

    How to enable LDAP over SSL with a third-party certification authority
    http://support.microsoft.com/kb/321051/en-us

    IIS 7.0 CSR/SSL Create and Install
    https://help.maximumasp.com/KB/a627/iis-70-csrssl-create-and-install.aspx

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    Monday, November 12, 2012 2:35 AM
    Moderator
  • Hi,

    How are things going? I just want to check if the information provided was helpful. If there is any update or concern, please feel free to let us know.

    Best Regards,
    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    Wednesday, November 14, 2012 5:20 AM
    Moderator
  • I have since posted another question with more detail

    
    
    Here
    Friday, December 7, 2012 12:29 AM
  • In another post I have listed the resolution that I found from my experience, a link to this can be found below:- http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/208d920b-b0d7-4cd2-9c0c-f051682a5a77/#2009aca5-449d-436c-9026-92d060d64d07
    • Marked as answer by Hendy25 Sunday, December 23, 2012 5:58 PM
    Sunday, December 23, 2012 5:58 PM