Comments For Entry #813

Microsoft Certificate Authority Certificate To Linux / Apache / hMailServer(Comments RSS)

Want to make a certificate for your Linux server? Or do you just have some sort of Windows mail server that wants a private and public key but because you are using the Microsoft Certificate Authority in Enterprise CA mode you struggle to make it work?

Unfortunately when using Microsoft Certificate Authority it is not that well documented, as Microsoft assumes that all certificate requests will come from Microsoft Certificate Authority aware programs (that will in the case of the Enterprise CA mode, will preferably list what template it belongs to).

Microsoft Certificate Authority set to the active directory integrated "Enterprise Certificate Authority" mode (and not Standalone Certificate Authority) mode means that everything must ask for a specific "Template". Attempting to submit a request via the console (that does not include a template) and not the Microsoft Certificate Authority website will generate the rather annoying error :
The request contains no certificate template information 0x80094801 (-2146875391). Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.

To generate a new request, on a Linux server type:
openssl req -new -newkey rsa:2048 -nodes -keyout PBX_PrivateKey.key -out PBX_SigningRequest.csr

This will generate a certificate signing request ready to be given to the CA. Copy the CSR (not the private key, that should be kept private) to your CA by opening up the CSR in a text editor and visiting the Microsoft Certificate Authority website for your server (something like http://server/CertSrv) then click "Request a certificate" and select "Or, submit an advanced certificate request.", paste the CSR into the text box and importantly select "Web Server" under the "Certificate Template:" (it does not really matter if this is for a mail server). Then click "Submit ->" then depending upon your CAs policy (either it will require Administrator intervention or just issue), you should be issued with a signed certificate ready for use on your server of choice.

Should you already have an existing certificate (say for your IIS web server) and you would like to export it to a Linux server (say Apache) you may find that exporting it places it in this combined PFX (Personal Information Exchange / PKCS#12) format which TomCat is content with but not Apache.

To convert it to a more useful Linux Apache PEM file:

Type "openssl pkcs12 -in filename.pfx -nocerts -nodes -out PBX_PrivateKey.pem" (you will be prompted for the password) to export the private key (no certificates at all will be output).

Then type "openssl pkcs12 -in filename.pfx -clcerts -nokeys -out PBX_Certificate.pem" to export the certificate.

Success, you should now have your private key and certificate back!

References :
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7004039&sliceId=1&docTypeID=DT_TID_1_1
http://www.openssl.org/docs/apps/pkcs12.html

Add New Comment

Name

E-mail

Homepage

Remember Me           E-mail me replies

Content (HTML not allowed)