Extracting web server private SSL keys

There are up to three phases in the process of extracting private keys:

  1. Extract the key from the server configuration.
  2. Encode the key into PEM format.
  3. Decrypt the key's password. In some cases, however, not all steps are needed, or steps may be combined. For details, see the applicable section below.

Apache/OpenSSL server

This section describes how to extract web server private RSA keys for Apache/OpenSSL Server. This procedure has been tested on:

  • Apache versions apache-1.3.12-25 and above
  • openssl-0.9.5a-14 on Red Hat Enterprise Linux 6.2

Extracting the key from the server configuration

The Apache Web server already stores its server key in PEM-encoded format. The key is placed in a directory specified in the server configuration file (typically /etc/httpd/conf/httpd.conf) and is defined by the directives SSLCertificateFile or (if the server key is separated from its certificate) SSLCertificateKeyFile. The default location of the file is /etc/httpd/conf/ssl.key.

Encoding the key into PEM format

For Apache/OpenSSL Server, encoding the key into PEM format is not required, because the key is already in PEM format.

Decrypting the key's password

For Apache/OpenSSL Server, decrypt the key with the openssl command:

openssl rsa -in encrypted_key_filename -out decrypted_key_filename

You are prompted for a password.

Microsoft IIS 4.0 server

This section describes how to extract web server private RSA keys for Microsoft IIS 4.0 Server. This procedure has been tested on Microsoft IIS 4.0/WinNT4.0 SP6a.

Extracting the key from the server configuration

To extract the key for Microsoft IIS 4.0 Server, you must create a backup copy of your server certificate and the private key as follows:

  1. Open Key Manager (from IIS management console or menu).

  2. Select the key to export (under WWW) and select Key  ► Export from the menu.

  3. Choose a file (for example, temp.key) and click Finish.

    Now you have one file with the combined server key file and server certificate and you can extract the key.

  4. Open the backup file (in this example, temp.key) in an editor in hexadecimal mode.

  5. Find the string “private-key” in the file.

  6. Scan back until you find the hex values “30 82”.

  7. Write from that position to a new file (for example, tmp.bin).

For the above example, issue the following command:

dd if=temp.key of=temp.bin bs=1 skip=29

This is because you have to write the new file beginning with the 29th (0x1d) octet.

Encoding the key into PEM format and decrypting the password

Microsoft IIS stores its keys in NET format. To recode it in PEM format, use the following openssl command on the NAM Probe:

openssl rsa -inform NET -in tmp.bin -out key.pem

You are prompted for a password. If you get an error after entering the password, try adding the -sgckey option to the openssl command.

Microsoft IIS 5.0 server

This section describes how to extract web server private RSA keys for Microsoft IIS 5.0 Server. This procedure has been tested on IIS 5.0/Win2kPro SP2.

Extracting the key from the server configuration

In the 4.0 release of IIS, Key Manager was used to back up server certificates. In the IIS 5.0, Web Server Certificate Wizard replaces Key Manager. Because IIS works closely with Windows, you can use the Certificate Manager tool to export and back up your server certificates.

This procedure requires Certificate Manager.

If you do not have Certificate Manager installed in the MMC, you will need to install it (see To install Certificate Manager: below) and then go to To back up your server certificate:.

If you already have Certificate Manager installed in the MMC, it will point to the correct Local Computer certificate store. In this case, skip directly to the To back up your server certificate:

To install Certificate Manager:

  1. Open an MMC console and select Add/Remove Snap-in from the Console menu.
  2. Click Add.
  3. Select Certificate Manager.
  4. Click Add.
  5. Select the Computer account option.
  6. Select the Local Computer option.
  7. Click Finish.

To back up your server certificate:

Locate the correct certificate store. This is typically the Local Computer store in Certificate Manager.

Select the certificate in the Personal store.

Open the Action menu, point to All tasks, and click Export.

In the Certificate Manager Export Wizard, select Yes, export the private key.

Accept the wizard default settings and enter a password for the certificate backup file when prompted.

Caution:

Do not select Delete the private key if export is successful, because this will disable your current server certificate. Be sure that PKCS12 format is chosen.

Use the wizard to export a backup copy of your server certificate.

Now you have one file that combines a server key file and a server certificate in PKCS12 format.

Encoding and decrypting the key into PEM format

To recode the key to PEM format, use the following openssl command on the NAM Probe:

openssl pkcs12 -nocerts -in key.pfx -out key.pem -nodes

You are prompted for a password. Provide the same password you used during key backup.

Zeus

This section describes how to extract web server private RSA keys for Zeus. This procedure has been tested on Zeus Web Server v4.0.

Extracting the key from the server configuration

Zeus already stores its server key in PEM-encoded format. The key is placed in the directory specified in the configuration file (typically %zeushome%/webadmin/conf/ssl_config) and is defined by the directive [instance_name ]!private .

The default location is %zeushome%/web/ssl/

Encoding the key into PEM format

For Zeus, encoding the key into PEM format is not required, because the key is already in the PEM format.

Decrypting the key's password

For Zeus, decrypting the key's password is not required, because Zeus does not support key password encryption.

iPlanet web server

This section describes how to extract the Verisign SSL private keys from an iPlanet Web Server to pk12 format.

Set up the environment and the current working directory

Set up the environment and the current working directory as follows:

  1. Set the LD_LIBRARY_PATH environment variable to <server_root>/bin/https/lib. Example:
    export LD_LIBRARY_PATH=$[LD_LIBRARY_PATH:/opt/services/iplanet6sp5/bin/https/lib](http://LD_LIBRARY_PATH/opt/services/iplanet6sp5/bin/https/lib)
  2. Add <server_root>/bin/https/admin/bin to the PATH environment variable, for example:
    export PATH=$[PATH:/opt/services/iplanet6sp5/bin/https/admin/bin](http://PATH/opt/services/iplanet6sp5/bin/https/admin/bin)
  3. Locate the pk12util utility. Example:
    which pk12util/opt/services/iplanet6sp5/bin/https/admin/bin/pk12util
    
  4. Locate the certutil utility such as:
    which certutil/opt/services/iplanet6sp5/bin/https/admin/bin/certutil
    
  5. Change the current working directory to the server root directory. Example:
    cd /opt/services/iplanet6sp5/

Convert the .db files to PKCS12 format

Convert the .db files to PKCS12 format as follows:

  1. Create a temporary directory. Example:
    mkdir /tmp/alias

  2. Change the current working directory to the <server_root>/alias directory, for example:
    cd /opt/services/iplanet6sp5/alias

  3. Copy the .db files to the temporary directory. Example:

    cp [https-pweb1.hap.org](http://https-pweb1.hap.org)-pweb1-key3.db
    [https-pweb1.hap.org](http://https-pweb1.hap.org)-pweb1-cert7.db /tmp/alias
    
  4. Change the current working directory to the temporary directory, for example:
    cd /tmp/alias

  5. Create symbolic links of the files to be converted. Example:

    ln -s https-pweb1.hap.org-pweb1-key3.db key3.db
    ln -s https-pweb1.hap.org-pweb1-cert7.db cert7.db
    
  6. Run the certutil utility. The -K option lists the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal (“0x ” is not shown). The -d option specifies the database directory containing the certificate and key database files. This example uses the current directory “. ” as the directory.

    certutil -K -d .Enter Password or Pin for "NSS Certificate DB":
    <0> Server-Cert
    

    The converted files reside in the current working directory, /tmp/alias, in this example.

Export the SSL certificate and key

Export the SSL certificate and key as follows:

Run the pk12util utility, supplying as arguments the directory containing the converted certificate .db file, the name of the export file to create and the certificate name.

Example:

pk12util -d /tmp/alias -o /tmp/pweb1_certpk12 -n Server-CertEnter Password or Pin for 'NSS Certificate DB':
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL

WebSphere

This section describes how to extract web server private RSA keys for Websphere. This procedure has been tested on Websphere 6.1.

Extracting the key from the server configuration

The exact location of your keystore depends on the amount of Websphere cells and nodes you have configured, and the configuration of the SSL store handling.

In a managed environment, you would typically find all the cells and nodes rolling back up to one centralized store. This centralized store is held in a file with the JKS extension and can be handled by the iKeyMan utility to export/convert it.

Log in to your Websphere Integrated Solutions Console

In the left-hand menu, expand Security ► SSL Certificate and Key Management

Under Configuration Settings click Manage Endpoint Security Configurations.

Expand the nodes / servers into the server where you are hosting your SSL encrypted applications.

Click the WC_defaulthost_secure entry and under Related Items click the Key Store and Certificates option.

Note the location for:

  • Cell default key store, for example: $CONFIG_ROOT/cells/productioncell1/privatekey.p12
  • Cell default certificate store, for example: $CONFIG_ROOT/cells/productioncell1/certificate.p12

Locate those files on your files system. Typically $CONFIG_ROOT is under the location of the Deployment Manager central repository.

Note

Note that your file extention might not be P12, but JKS . This means you have to use iKeyMan to convert the JKS into a PKCS#12 file first.

Encoding the key into PEM format

To convert the private key from pkcs12 to PEM format, user the following commands:

with passphrase

 openssl pkcs12 -in privatekey.p12 -out privatekey.pem -passout pass:yourpassphrase

where privatekey.p12 is the extracted key from the key store, privatekey.pem is the output key file after the conversion, and yourpassphrase is your passphrase.

without passphrase

 openssl pkcs12 -in privatekey.p12 -nodes -nocerts -out key.pem

where privatekey.p12 is the extracted key from the key store, key.pem is the output key file after the conversion.