IIS (.pfx) SSL Certificate to Apache (.crt and .key)

Hello everyone,

This article is coming from RapidSSL knowledge base. I will not rewrite it to make it my own. Useless. I can just confirm that it is well explained and working as expected as I had to do it.

 

To move a SSL certificate from Microsoft IIS 7.0 to Apache, the certificate must be converted from a PKCS#12 (.p12 or .pfx) to two separate files (private and public key).

Step 1: Export certificate in IIS 7

  1. From the web server, click Start
  2. In the Search programs and files field, type mmc
  3. From the Programs list, click mmc.exe
  4. At the permission prompt, click Yes
  5. From the Microsoft Management Console (MMC), click  File Add/Remove Snap-in
  6. From the list of snap-ins, select Certificates
  7. Click Add
  8. Select Computer account
  9. Click Next
  10. Select Local computer (the computer this console is running on)
  11. Click Finish
  12. In the Add/Remove Snap-in window, click OK
  13. Save these console settings for future use
  14. Double click on Certificates (Local Computer) in the center window.
  15. Double click on the Personal folder, and then on Certificates.
  16. Right Click on the Certificate you would like to backup and choose > All Tasks > Export
  17. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
  18. Choose to ‘Yes, export the private key
  19. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
  20. Enter a password you will remember
  21. Choose to save file on a set location
  22. Click Finish
  23. You will receive a message > “The export was successful.” > Click OK
  24. The .pfx file backup is now saved in the location you selected.

Step 2:  Convert PFX file to compatible files for Apache

Move the .pfx file to the Apache server or install OpenSSL on your Windows  ( https://slproweb.com/products/Win32OpenSSL.html )

To extract the private key, run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx  -nocerts -out key.pem

To extract the certificate (public key), run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem

cert.pem can be renamed to server.crt if needed
If you do not want to include a passphrase you can use the following command:

openssl rsa -in key.pem -out server.key

 

You can now use server.crt and server.key in your Apache configuration.

Advertisements

Install Apache Reverse Proxy on Ubuntu Server

Hello everyone,

I am going to implement an Apache Reverse Proxy on Ubuntu Server. I will share with you the steps I did to accomplish this task.

 

  • Install Ubuntu Server

I will not explain how to install Ubuntu Server as it’s straight forward and easy. For your information I used the 16.04.2 version and did a basic install without LAMP.

 

  • Install Apache

First of all, run :

sudo apt-get update

sudo apt-get upgrade

To make sure all of your packages are up to date. Then install Apache, here Ubuntu version 2.4.18 :

sudo apt-get install apache2

Check that Apache is now properly running and available by opening up your browser and surf to your server’s IP or run :

service apache2 status

 

  • Configure Apache

To work as a Proxy,  Apache needs some modules enabled. To enable a module, you can run :

a2enmod

It will show you all available modules you can enable. We will go ahead with the following ones :

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_ajp
sudo a2enmod rewrite
sudo a2enmod deflate
sudo a2enmod headers
sudo a2enmod proxy_balancer
sudo a2enmod proxy_connect
sudo a2enmod proxy_html

We will then need to disable Apache default configuration file 000-default.conf and create a new one inside the /etc/apache2/sites-available directory.

To disable it, run :

sudo a2dissite 000-default

Then create the new file :

sudo nano /etc/apache2/sites-available/reverse-proxy.conf

Note : you need to name it .conf or “a2ensite” will not find it when trying to enable it later.

Add your VirtualHost in this file to match your Reverse-Proxy preferences. Here is mine, you can tweak it :

<VirtualHost *:80>
 ServerName localhost
 DocumentRoot /var/www/html
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 <Location />
 Require all denied
 </Location>
</VirtualHost>

<VirtualHost *:80>
 ServerName server1.domain.com
 ServerAdmin admin@domain.com
 DocumentRoot /var/www/html
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 ProxyPass / http://srv1.domain.com/
 ProxyPassReverse / http://srv1.domain.com
# ProxyPreserveHost On
</VirtualHost>

<VirtualHost *:80>
 ServerName server2.domain.com
 ServerAdmin admin@domain.com
 DocumentRoot /var/www/html
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 ProxyPass / http://srv2.domain.com/
 ProxyPassReverse / http://srv2.domain.com
# ProxyPreserveHost On
</VirtualHost>

 

The first VirtualHost will just deny the access to the default website if the others two are not match when checking the ServerName directive.

If you browse to server1.domain.com, it will forward requests to server srv1.domain.com and if you browse to server2.domain.com, it will forward requests to srv2.domain.com.

If you browse using the IP address or another subdomain pointing to your Proxy server, you will get the access denied webpage from the first VirtualHost.

I suggest you to read the great document on Apache’s website for more information on how Apache handle incoming requests, their orders and whats Directives your can use.

Here is the doc followed by some examples :

https://httpd.apache.org/docs/2.4/vhosts/index.html

https://httpd.apache.org/docs/2.4/vhosts/examples.html

 

Now, enable your new configuration file :

sudo a2ensite reverse-proxy

And finally, restart Apache :

sudo service apache2 restart

 

Your Proxy server should now work. IE.: as said above, browsing to server1.domain.com should redirect you to the app hosted on srv1.domain.com