Microsoft Certificate Authority Certificate To Linux / Apache / hMailServer(Comments RSS)
Unfortunately when using Microsoft Certificate Authority it is not that well documented, as Microsoft assumes that all certificate requests will come from Microsoft Certificate Authority aware programs (that will in the case of the Enterprise CA mode, will preferably list what template it belongs to).
Microsoft Certificate Authority set to the active directory integrated "Enterprise Certificate Authority" mode (and not Standalone Certificate Authority) mode means that everything must ask for a specific "Template". Attempting to submit a request via the console (that does not include a template) and not the Microsoft Certificate Authority website will generate the rather annoying error :
To generate a new request, on a Linux server type:
This will generate a certificate signing request ready to be given to the CA. Copy the CSR (not the private key, that should be kept private) to your CA by opening up the CSR in a text editor and visiting the Microsoft Certificate Authority website for your server (something like http://server/CertSrv) then click "Request a certificate" and select "Or, submit an advanced certificate request.", paste the CSR into the text box and importantly select "Web Server" under the "Certificate Template:" (it does not really matter if this is for a mail server). Then click "Submit ->" then depending upon your CAs policy (either it will require Administrator intervention or just issue), you should be issued with a signed certificate ready for use on your server of choice.
Should you already have an existing certificate (say for your IIS web server) and you would like to export it to a Linux server (say Apache) you may find that exporting it places it in this combined PFX (Personal Information Exchange / PKCS#12) format which TomCat is content with but not Apache.
To convert it to a more useful Linux Apache PEM file:
Type "openssl pkcs12 -in filename.pfx -nocerts -nodes -out PBX_PrivateKey.pem" (you will be prompted for the password) to export the private key (no certificates at all will be output).
Then type "openssl pkcs12 -in filename.pfx -clcerts -nokeys -out PBX_Certificate.pem" to export the certificate.
Success, you should now have your private key and certificate back!