How to import a PFX file from IIS to Apache?
A.Fadyushin at it-centre.ru
A.Fadyushin at it-centre.ru
Tue Jul 26 15:11:50 UTC 2005
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Chris W. Parker
> Sent: Monday, July 25, 2005 11:26 PM
> To: redhat-list at redhat.com
> Subject: How to import a PFX file from IIS to Apache?
>
> Hello,
>
> I'm trying to move one of my certificates from Windows to Linux. I've
> already created the pem file on the Linux machine with:
>
> openssl pkcs12 -in site.pfx -out site.pem
>
> What do I do next to get it installed?
>
> I've searched OpenSSL's mailing list archives, this mailing list,
> google, as well as Verisign's website without any luck.
>
> I'm sure this is going to be a simple answer I just haven't been able
to
> find it yet.
>
>
> Thanks,
> Chris.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
The PEM file you created contains the server certificate (and
intermediate certificates, if any, in certificate chain between your
certificate and root certificate) and private key (which may be
encrypted, unless you remove the encryption specifying '-nodes' option
to 'openssl pkcs12') corresponding to your certificate.
The certificates are delimited by the lines 'BEGIN CERTIFICATE' and 'END
CERTIFICATE', the private key is between lines 'BEGIN RSA PRIVATE KEY'
and 'END RSA PRIVATE KEY' (there may be shown other algorithm name
instead of RSA if your certificate and key is not the RSA ones). Before
the certificates in that file are included strings in which the issuer
and subject names are shown, so you can find specific certificates in
the chain.
You can split the PEM file converted from .pfx into the files needed for
Apache using any text editor. Put the parts of the file containing
intermediate certificates (including the BEGIN and END lines) into
separate file pointed to by Apache configuration file directive
SSLCertificateChainFile.
Put the part containing your server's certificate (including the BEGIN
and END lines) into separate file pointed to by directive
SSLCertificateFile.
Put the private key part of the PEM file (including the BEGIN and END
lines)
into separate file pointed to by SSLCertificateKeyFile. Alternatively,
you can add it in the file with yor server's certificate, in this case
the directive SSLCertificateKeyFile should not be used. However, the
practice of having certificate and key in the sane file is strongly
discouraged.
Alexey Fadyushin
Brainbench MVP for Linux
http://www.brainbench.com
More information about the redhat-list
mailing list