With this tutorial I will show you how to move existing SSL certificate from Windows to Linux server.
Here I have to say that this tutorial will work, only if the certificate was installed without this option checked: ”Mark this key as exportable. This will allow you to back up or transport your keys at a later time.” Check the screen-shoot bellow to see what I mean:
Well, I hope in your case this option was checked, so let’s continue with the SSL certificate migration.
First export the certificate from the Windows server. Depending on the server configuration you can export it from IIS:
Just if you are not aware:
Click Start Buton -> Run… – type: intemgr – then locate the domain, right click then Properties – Directory Security – Server Certificate
Again just in case you do not know how:
Click Start Buton -> Run… – type: mmc – then Open – Add/Remove Snap-in.. – click ‘Add’, choose certificates, choose computer account, then ‘Local computer’. Then expand ‘Certificatesc – ‘Personal’ -‘Certificated, locate the certificate and right click on it. Click ‘All task’ and ‘Export..’.
Now move from the Windows to the Linux server the exported certificate and let’s do the magic, which is called: Extract SSL certificate and key from PFX file
More From onlinehowto
If you have landed on this tutorial and do not have PFX certificate file please visit: Migrate (move) SSL certificate from Windows to Linux.
The certificate extraction can be done with a tool called Open SSL that you may install from the Linux server repository, or take the source from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.
Once you have it installed go to the folder where the PFX certificate is located and execute the following commands:
Probably from the comments, you guessed already what line what is doing, but I will explain these lines briefly:
- # To export the private key from the pfx file:
- openssl pkcs12 -in win_cert.pfx -nocerts -out key.pem
- # To export the certificate from the pfx file:
- openssl pkcs12 -in win_cert.pfx -clcerts -nokeys -out cert.pem
- # And now remove the key password:
- openssl rsa -in key.pem -out key_with_no_pw.key
The first line will export the private key from the windows certificate and since PFX key is always exported with a password, you will be prompted to enter one. So you must have it.
The second line will export certificate from the PFX file.
Again, you will need the PFX file password in order to remove it. In fact you can use the certificate with Apache server, but whenever it is restarted you will be prompted for a passphrase. If you choose this case, forget for automated Apache restarts and take in mind that you have to enter the pass after server restart. Like this one:
My advice is to remove the password from the SSL key. If someone manage to access it on the server, this will be you’re the least of your problems.
- /etc/init.d/apache2 start
- Starting web server (apache2)…[Mon Apr 22 23:03:45 2010] [warn] module ssl_module is already loaded, skipping
- Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
- Some of your private key files are encrypted for security reasons.
- In order to read them you have to provide the pass phrases.
- Server 127.0.0.1:443 (RSA)
- Enter pass phrase:*******
- OK: Pass Phrase Dialog successful.
Well, that is it. Now you can rename the key and the certificate as per your needs and to use them.
I have another tutorial related to the matter is: Renew Windows SSL certificate when no key available.
IIS: Export Private Key Option is Grayed When Exporting a Server Certificate
Solution for the above doesn't apply:
Yes, you would have to reissue the certificate if the private key
cannot be exported. Generate a new CSR on the Linux box that you want to
install the certificate to and follow these instructions to replace
(reissue) your certificate based on that new CSR ...
The agent is sending you to