Exporting a SSL certificate from an IIS Windows server.

First export your IIS certificate into a pfx file (this is something you should do anyways for backup) :

  • Run mmc.exe
  • Click the 'Console' menu and then click 'Add/Remove Snap-in'.
  • Click the 'Add' button and then choose the 'certificates' snap-in and click on 'Add'.
  • Select 'Computer Account' then click 'Next'.
  • Select 'Local Computer' and then click 'OK'.
  • Click 'Close' and then click 'OK'.
  • Expand the menu for 'Certificates' and click on the 'Personal' folder.
  • Right click on the certificate that you want to export and select 'All tasks' → 'Export'.
  • A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.

Convert SSL certificates generated for IIS to private key and certificates files you can use on Apache for windows or Linux.

Run openssl to extract the private key, and the cert file.

  • Export the private key file from the pfx file

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

  • Export the certificate file from the pfx file

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

  • This removes the passphrase from the private key so Apache won't prompt you for your passphase when it starts

openssl rsa -in key.pem -out server.key

Convert SSL certificates from .crt to .pem or .pfx (Windows / Linux compatibility)

  • Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

  • Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Importing your certificate on IIS

Importing your Certificate/Private Key (from .pfx file format)

  • From the Start menu, select “Run…”. Type “mmc” and hit Enter.
  • Under the File menu choose Add/Remove Snap in.
  • Click Add, then from the Add Standalone Snap-in panel choose Certificates, and click Add.
  • Choose Computer Account and click Next, then choose Local Computer and click Finish.
  • Close the Add Standalone Snap-In window by clicking Close.
  • Close the Add/Remove Snap-in window by clicking Ok.
  • Click the + to Expand the Certificates (Local Computer) Console Tree
  • Right click on the Personal Certificates Store (folder)
  • Choose > ALL TASKS > Import
  • Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
  • Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.

Configuring your certificate on IIS

  • In your IIS manager, right-click on the site that you would like to use the certificate and select properties.
  • Click on the Directory Security Tab and hit the Server Certificate Button. This will start the server certificate wizard.
  • If given the option, Choose to 'Assign an existing certificate' to the site and choose the new certificate that you just imported.

If you do not have that option, you should be asked what you want to do with the current certificate on the site, choose the option to “replace” your current certificate.

  • Browse to the .pfx file that you created earlier.
  • Finish the certificate wizard.

Occassionally a server or IIS restart is required before your server will recognize the new certificate.

Last modified: 06/05/2013 at 16:03 by Emerick M. (Gandi)