Apache SSL Signing Request with Active Directory Certificate Services

Setup the DNS Address

Make sure that you have DNS configured with the correct FQDN before proceeding. 

Generate a Private Key 

Generate a Private Key

openssl genrsa 2048 > wiki.key

Generate a Request

openssl req -new -key wiki.key  -sha256 > wiki.csr

The important thing on the openssl Req is that you get your common name right. If your server has multiple DNS names, you will need to look into specifying your Subject Alternate Names. Currently not covered in this howto.

Sign the Request on The CA

Copy the Request Over to the CA

certreq -submit -attrib "CertificateTemplate: WebServer" .\wiki.csr

Move the Generated .crt file back over to the server

Place the .key and the .crt files in the apache2 directory. I recommend creating the following directory

/etc/apache2/ssl

sudo mkdir /etc/apache2/ssl && cd /etc/apache2/ssl

sudo chmod 400 *.key

cd ../sites-available

sudo vi default-ssl.conf

Change the following Lines:

SSLCertificateFile        /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

To

SSLCertificateFile /etc/apache2/ssl/wiki.crt

SSLCertificateKeyFile /etc/apache2/ssl/wiki.key

Restart Apache 

This varies from distro to distro, but for me its

sudo service apache2 restart

Verify it works

Navigate to your web server via FQDN. Check your thumbprints against what you have installed on the server. 

To get your sha1 thumbprint on the crt, you can use the following:

openssl x509 -noout -in /etc/apache2/ssl/wiki.crt -fingerprint -sha1

Compare the fingerprint here with the thumbprint listed when you inspect the certificate.