Moving SSL Certs from IIS to Apache
August 27, 2003
I found some instructions for converting SSL certificates generated for IIS to private key, and cert files you can use on unix, or Apache for windows.
First Export your IIS certificate into a pfx file (this is something you should do anyways for backup)
- Run mmc.exe
- Click the 'Console' menu and then click 'Add/Remove Snap-in'.
- Click the 'Add' button and then choose the 'certificates' snap-in and click on 'Add'.
- Select 'Computer Account' then click 'Next'.
- Select 'Local Computer' and then click 'OK'.
- Click 'Close' and then click 'OK'.
- Expand the menu for 'Certificates' and click on the 'Personal' folder.
- Right click on the certificate that you want to export and select 'All tasks' -> 'Export'.
- A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.
# Export the private key file from the pfx file openssl pkcs12 -in filename.pfx -nocerts -out key.pem # Export the certificate file from the pfx file openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem # This removes the passphrase from the private key so Apache won't # prompt you for your passphase when it starts openssl rsa -in key.pem -out server.key
add to del.icio.usRelated Entries
- How to Get a Green SSL Certificate - November 18, 2009
- IIS: Disabling Weak SSL Protocols and Ciphers - October 8, 2009
- ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only - August 20, 2009
- Signing Jar Files (converting pvk to p12) - March 29, 2004
Trackbacks
Trackback Address: 16/195A38186A1E17FDB0DA824192C835B8
- Moving SSL Certs from IIS to Apache Tech Zombie - The Technicians WebSite
Comments
On 09/15/2004 at 7:58:56 PM EDT Anonymous wrote:
1
This is great! Thank you for the clear step by step!
On 09/20/2004 at 4:54:04 AM EDT Stefan Nielsen wrote:
2
Great article! Very useful step by step.
On 10/16/2004 at 10:35:59 PM EDT Dace wrote:
3
Thanks - this helped a lot
On 12/07/2004 at 10:06:13 AM EST DrPeanut wrote:
4
Thanks for your help,
On 02/21/2005 at 10:28:33 AM EST Anonymous wrote:
5
real real fine
On 03/25/2005 at 8:36:17 AM EST olas wrote:
6
glad to used octagate
On 03/29/2005 at 9:33:59 AM EST aditya wrote:
7
short and sweet. all seems so clear and refined when someone with real knowledge can give a to-the-point answer
On 04/05/2005 at 10:15:44 AM EDT aditya wrote:
8
Hi all, everything else is fine, but I need some more inputs. I installed a certificate on to my site using the above instructions. the problem with the resultant certificate is that somehow, the information regarding the CA authority is not transferred to teh converted certificate, and hence the certificate never gets installed. everytime a person hits the site with a new browser, there is a popup for accepting the certificate. Can any one please let me know how the information loss can be removed? Please also mail the response at adityamangla@hotmail.com (if you think its ok). thanks in advance.
On 05/19/2005 at 10:40:32 AM EDT mattj wrote:
9
Excellent - very useful, worked first time
On 05/31/2006 at 10:47:03 AM EDT mosho wrote:
10
Yes this guide works, but then how do you get the files to work in Apache under Linux?
On 05/08/2007 at 1:19:01 PM EDT Damien McKenna wrote:
11
Good stuff, worked perfectly to migrate from IIS6 to Apache 2.2 on Winders. Thanks, Pete.
On 08/17/2007 at 4:04:50 AM EDT paulb wrote:
12
Is there a mirror for the instructions link? http://www.freeroller.net/page/kwiersma/20030401 doesn't seem to work anymore.
I followed the instructions and ended up with a server.key, key.pem and a cert.pem. But i read a other tutorial saying i need a .cert file and a .key file instead of .pem file. What amn i doing wrong?
Thanks for any help in advance!
On 09/17/2007 at 1:36:15 AM EDT Trudge wrote:
13
"I followed the instructions and ended up with a server.key, key.pem and a cert.pem. But i read a other tutorial saying i need a .cert file and a .key file instead of .pem file. What amn i doing wrong?"
the .pem file contains the text for your cert file AND your key file.
Paste EVERYTHING (including the following lines) in between these lines into your WHATEVER.key file: -----BEGIN RSA PRIVATE KEY----- BLAH BLAH BLAH -----END RSA PRIVATE KEY-----
Paste EVERYTHING (including the following lines) in between these lines into your WHATEVER.cert file: -----BEGIN CERTIFICATE----- MORE BLAH BLAH BLAH -----END CERTIFICATE-----
Now you have a cert and a key file.
On 10/31/2007 at 10:11:35 AM EDT Dunk wrote:
14
"I installed a certificate on to my site using the above instructions. the problem with the resultant certificate is that somehow, the information regarding the CA authority is not transferred to teh converted certificate, and hence the certificate never gets installed."
You'll want to dosomething like:
openssl pkcs12 -in filename.pfx -cacerts -nokeys -out cacert.pem
And add the cacert to your apache config so it knows the Cert Authority.
On 02/19/2008 at 8:39:58 AM EST Juan Diego wrote:
15
Very useful. I've translated it into Spanish:
http://enreas.com/wiki/Trasladar_un_certificado_SSL_de_IIS_a_Apache
On 01/12/2009 at 10:13:24 AM EST Greg Stevens wrote:
16
Thanks Pete, as usual you have proven to be a wealth of useful information!
On 08/21/2009 at 12:12:37 AM EDT lotus wrote:
17
yalar?m.... çok sa?olas?n
On 12/30/2009 at 2:10:46 PM EST Fab wrote:
18
Many thanks !!!
On 01/14/2010 at 5:19:28 AM EST Anonymous wrote:
19
Thank you! This just saved my butt :)
On 01/30/2010 at 3:44:13 AM EST BestWorldsIT wrote:
20
If you're trying to setup a GoDaddy SSL from a .pfx file in Cpanel or WHM, here are a couple tips that I hope will save you some time. * first remove any files in the ssl/certs/ and ssl/private/ directories for the account (i.e. home/yoursite/ssl/) * if you have access to WHM, use the "Manage SSL Hosts" to double check for entries - delete any for the domain in question * then check the "SSL Key/Crt Manager" - delete anything related to the domain you're setting up SSL for * if you followed the instructions above, you'll have the certs.pem and the now decrypted key.pem, but for GoDaddy you need the CA: * openssl pkcs12 -in filename.pfx -cacerts -nokeys -out cabundle.pem * the text in those three .pem files (certs, key, cabundle) is all you need to copy into your SSL install page - crt, key, ca bundle * for WHM it's the "Install a SSL Certificate and Setup the Domain" tool
...maybe this is the long way around, but wanted to make sure I used the WHM/Cpanel tools since I don't know everything it's doing under the hood.
Post a Comment
Recent Entries
- Cache Template in Request Setting Explained
- What Version of Java is ColdFusion Using?
- ColdFusion 9 Performance Brief from Adobe
- Request Filtering in IIS 7 Howto
- J2EE Session Cookies on ColdFusion / JRun
- Hands on ColdFusion Security Training
- ColdFusion 9 Solr Vulnerability - Are you at Risk?
- FCKEditor Year 2010 Bug for Firefox 3.6 with ColdFusion
I followed the instructions and ended up with a server.key, key.pem and a cert.pem. But i read a other tutorial saying i need a .cert file and a .key file instead of .pem file. What amn i doing wrong?
Thanks for any help in advance!
the .pem file contains the text for your cert file AND your key file.
Paste EVERYTHING (including the following lines) in between these lines into your WHATEVER.key file: -----BEGIN RSA PRIVATE KEY----- BLAH BLAH BLAH -----END RSA PRIVATE KEY-----
Paste EVERYTHING (including the following lines) in between these lines into your WHATEVER.cert file: -----BEGIN CERTIFICATE----- MORE BLAH BLAH BLAH -----END CERTIFICATE-----
Now you have a cert and a key file.
You'll want to dosomething like:
openssl pkcs12 -in filename.pfx -cacerts -nokeys -out cacert.pem
And add the cacert to your apache config so it knows the Cert Authority.
http://enreas.com/wiki/Trasladar_un_certificado_SSL_de_IIS_a_Apache
...maybe this is the long way around, but wanted to make sure I used the WHM/Cpanel tools since I don't know everything it's doing under the hood.
