In this post we will look that how to move SSL certificate .PFX from IIS 8 to Apache Server. The apache server requires two file.
1 – Server.key : the private key associated with the certificate
2 – Server.crt : the public SSL certificate issued by certificate authority.
To move a SSL certificate from Microsoft IIS 8.0 to Apache server, the certificate must be converted from a PKCS#12 (.p12 or .pfx) to two separate files (private and public key).
Step 1: Export certificate in IIS 8
- From the web server, click Start
- In the Search programs and files field, type mmc
- From the Programs list, click mmc.exe
- At the permission prompt, click Yes
- From the Microsoft Management Console (MMC), click File > Add/Remove Snap-in
- From the list of snap-ins, select Certificates
- Click Add
- Select Computer account
- Click Next
- Select Local computer (the computer this console is running on)
- Click Finish
- In the Add/Remove Snap-in window, click OK
- Save these console settings for future use
- Double click on Certificates (Local Computer) in the center window.
- Double click on the Personal folder, and then on Certificates.
- Right Click on the Certificate you would like to backup and choose > All Tasks > Export
- Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
- Choose to ‘Yes, export the private key‘
- Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
- Enter a password you will remember
- Choose to save file on a set location
- Click Finish
- You will receive a message > “The export was successful.” > Click OK
- The .pfx file backup is now saved in the location you selected.
Using Open SSL, you can extract the certificate and private key.
To extract the private key from a .pfx file, run the following OpenSSL command:
openssl.exe pkcs12 -in myCert.pfx -nocerts -out privateKey.pem
The private key that you have extract will be encrypted. To unencrypt the file so that it can be used, you want to run the following command:
openssl.exe rsa -in privateKey.pem -out private.pem
The resulting private.pem file should be the key file that you want. Open it up using notepad to make sure there is not additional information showing up as text in the file. There may be some additional lines displaying the DN and Bag Attributes. Remove all of this from the file so that you end up with something like this:
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAiHrpjnliRKGyqia4IYJPegiRsSrztuH9eixIXpJjeyi10MMQ nkmSrrkvKfTUM9C5+xHgzTC1d/vnpdgjRHHxiRp7NerYV3zO5dF0wqkZ7XEwudz1 3T+1lnKQRGkQWcEuWea0q+5qM1XTcPeA4GFiaNjyNhq74snu0EsmQhreVADqApyv nMLZhU+QnYc4LqFqohXi0uN/vAqrJ6MXpKaRW+C4Jzp+ZmkmdcOkyqyTKf30j/OX a6gMUttq98y22sArO36cO7uyUps/d6NMT3WTkBOeS6jsduyG41hGXXRiVC6uiT37 Sj/AHuoN23C1CdgI9MNXZnjyNTnkSDC0icYd2wIDAQABAoIBAAGtEhQ0AmnEW0It V+KKy/i8L98vSgSWHDugB+19ZRJcoCBQXPJiBev2YzwOgSf3vr5KFxV+AnnW5/Pd 8STvNJ+nPxnHk2DpAU4fjIxdcO+SYx5NNonBNV+DyFNxajLSpVk+SjwNoVPrEGiD 6ZsX0b0RjlFCx8mTtZvs6FXfKEQmJWTd+xUsvLtkc88rsw8f5apH00wIwiaT/9et YGNQrLZLXl9RDgIRiIGOV1E/vrp4m32IvYazEr5D0zccTMJhPB4aD8o/rLr2vHcZ MspWAQHFRQsXuPbjFbSeh8flxbU5ofQfdIJy79MVGuhOKYaMdvmwdZfFnunY7x0Z ZX9dTYkCgYEA32K2py+3LLsj9YNQ8gKMuaNo9WvL/cxcPd5UTlzB51hHr8NEg31c Pu8xwSL1CuH2ZPUKIx7KUHyirWMSvF2MtGneyT8OizncfnMRKznJRM9WwRqDYsmY ipf9c4LCiNUhAx2hetzJmeqON226EMhgUqNgc/bLiCAeG8/JK1k7QjkCgYEAnGgC dr/oxN6TIRSJbncOIbJyHHhNrlw0T2JCoCJ/xYmkYKa6PLafMloI1nqwYf1+Dq91 63CQuVf50gLvkCQI8tC4FeWS6v0iz+oDIqoEGB15wXT4xtG7fZTPD112BHAMZLnI Ftspng+XDnBXiXhW1iE326z/obQJgYc+r2HNULMCgYAG59xRqs302gwwiNC1ypJj IsQZ4i06OVkYqIjeq0trRXVh3518myGA6JAXMmd04KtnT5Pypf8HIfM9fPSVUicJ ZMR4YDSo5S8F0bTUK0Mnl2lNKu6o3SaUEkLJkV9GL6CHoiDd1Xl+ApxG5mN8JVWk +FwA+b4tBSEpJvFHH8kPMQKBgQCJHkoir0Yy6epU0vtVQ7y44AdYXEPF+4HEoqFE YFph5LSeIy0cswHIE9Sxq6fckG6mEz8u5GWMh8s1SWuak2zg6win8bcmmjudyUts ZV7ngVfPuWusagyUIRSSJN6lL1I+L/1xxDutHX/Rob2sgDqoyUB+LyGBMyQuUVIs UXK9LwKBgF+G79DKwNlqi5WIVifnZ8tuU8lafhR8o4WFniQIrcTdhyXL+/us8nHp E71VWZz8dnBQlc5vAipTarRaa/sOfR+O2MnA10d3BEEACV7FRfPrgP1R+xg5bYNQ ZLTLUXa1Tc0o56CtMHlXzXbml5b6qWuvJj+x7DKQGshswgefaITv -----END RSA PRIVATE KEY-----
You can now use this as your Server.key file on your Apache Server.
To get the corresponding Server Certificate, you run the following OpenSSL command:
openssl.exe pkcs12 -in myCert.pfx -clcerts -nokeys -out ServerCert.pem
Now you can use both Server.key and ServerCert.pem on Apache server.
Assigning the domain SSL certificate to Apache
After you have converted the .pfx file, you will need to copy the newly created files to the Apache server and edit your Apache configuration file to use them. You have to enable the SSL in httpd configuration and change the Virtual host for your domain under the /etc/httpd/conf.d/ folder.
I have also write post about How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL .