Sep 24 2016
Reuse PFX Exchange / IIS Certificate on Apache Web Server
While generating a Microsoft Exchange (or IIS web server) certificate, take the opportunity to add extra domain names and reuse it on Apache web servers. This will save you a few bucks and time, unless the CA provides a certificate for multiple platforms.
PFX is a popular exchange format on Microsoft software such as Exchange or IIS. It is a PKCS#12 archive file that contains a certificate and the matching private key. It could also include other things like the CA certificate.
First off, copy the pfx file generated with Exchange on the web server where you should have all the tools that you need to extract and import the PFX certificate on Apache.
Extract Cert and Key from the PFX File
Extract the private key from the PFX. Enter the password if asked.
openssl pkcs12 -in cert.pfx -nocerts -out enc.key -nodes
Now, extract the certificate
openssl pkcs12 -in cert.pfx -nokeys -out cert.crt
And finally, decrypt the private key
openssl rsa -in enc.key -out dec.key
Import Cert and Key into Apache
Move certificate and private key to Apache appropriate directories (I’m on Linux Redhat), and give proper permissions
mv cert.crt /etc/pki/tls/certs/
mv dec.key /etc/pki/tls/private/
chmod 600 /etc/pki/tls/private/dec.keyFailing to run chmod leads to an Apache error on restart.
If selinux is enabled on your web server, run
restorecon -RvF /etc/pkiThis will restore the proper permissions on the new files you just copied over. You will get the following error message if you don’t:
[error] (13)Permission denied: Init: Can’t open server certificate file /etc/pki/tls/certs/dec.key
Declare the new certificate in the Apache virtual host configuration file:
SSLCertificateFile /etc/pki/tls/certs/cert.crt
SSLCertificateKeyFile /etc/pki/tls/private/dec.key
And reload the daemon to apply changes:
/etc/init.d/httpd reload
Now you have the same certificate on Exchange (or IIS in a PFX archive) and Apache web server. The certificate could be used on other web servers such as Nginx for instance.
Also check with your certification authority beforehand. They may provide multiple certificate formats for different pieces of software, saving you the hassle of running these commands.