Tuesday, June 21, 2011

Migrate (move) SSL certificate from Windows to Linux

SkyHi @ Tuesday, June 21, 2011
Often, people who are not familiar with hosting servers, to be enticed by sales agents to buy new SLL certificates, because \"It is not possible to be migrated from Windows to Linux\".
With this tutorial I will show you how to move existing SSL certificate from Windows to Linux server.
Here I have to say that this tutorial will work, only if the certificate was installed without this option checked: ”Mark this key as exportable. This will allow you to back up or transport your keys at a later time.” Check the screen-shoot bellow to see what I mean:

Migrate (move) SSL certificate from Windows to Linux
So, if this option was not checked during the certificate installation I am afraid that the only option is to ask the certificate issuer.
Well, I hope in your case this option was checked, so let’s continue with the SSL certificate migration.
First export the certificate from the Windows server. Depending on the server configuration you can export it from IIS:
Just if you are not aware:
Click Start Buton -> Run… – type: intemgr – then locate the domain, right click then Properties – Directory Security – Server Certificate

Migrate (move) SSL certificate from Windows to Linux
If you have Active Directory setup to export the certificate:
Again just in case you do not know how:
Click Start Buton -> Run… – type: mmc – then Open – Add/Remove Snap-in.. – click ‘Add’, choose certificates, choose computer account, then ‘Local computer’. Then expand ‘Certificatesc – ‘Personal’ -‘Certificated, locate the certificate and right click on it. Click ‘All task’ and ‘Export..’.

Migrate (move) SSL certificate from Windows to Linux
I presume you have successfully managed to export the SSL certificate pfx file.
Now move from the Windows to the Linux server the exported certificate and let’s do the magic, which is called: Extract SSL certificate and key from PFX file

More From onlinehowto


Extract SSL certificate and key from PFX file

In this tutorial I will show you how to extract SSL certificate and key from PFX file and also how to remove a password from a private SSL key.
If you have landed on this tutorial and do not have PFX certificate file please visit: Migrate (move) SSL certificate from Windows to Linux.
The certificate extraction can be done with a tool called Open SSL that you may install from the Linux server repository, or take the source from here: OpenSSL. Also you can use the Windows version: OpenSSL for Windows.
Once you have it installed go to the folder where the PFX certificate is located and execute the following commands:

  1. # To export the private key from the pfx file:
  2. openssl pkcs12 -in win_cert.pfx -nocerts -out key.pem
  3. # To export the certificate from the pfx file:
  4. openssl pkcs12 -in win_cert.pfx -clcerts -nokeys -out cert.pem
  5. # And now remove the key password:
  6. openssl rsa -in key.pem -out key_with_no_pw.key
Probably from the comments, you guessed already what line what is doing, but I will explain these lines briefly:
The first line will export the private key from the windows certificate and since PFX key is always exported with a password, you will be prompted to enter one. So you must have it.
The second line will export certificate from the PFX file.
Again, you will need the PFX file password in order to remove it. In fact you can use the certificate with Apache server, but whenever it is restarted you will be prompted for a passphrase. If you choose this case, forget for automated Apache restarts and take in mind that you have to enter the pass after server restart. Like this one:

  1. /etc/init.d/apache2 start
  2. Starting web server (apache2)[Mon Apr 22 23:03:45 2010] [warn] module ssl_module is already loaded, skipping
  3. Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
  4. Some of your private key files are encrypted for security reasons.
  5. In order to read them you have to provide the pass phrases.
  6. Server (RSA)
  7. Enter pass phrase:*******
  8. OK: Pass Phrase Dialog successful.
My advice is to remove the password from the SSL key. If someone manage to access it on the server, this will be you’re the least of your problems.
Well, that is it. Now you can rename the key and the certificate as per your needs and to use them.
I have another tutorial related to the matter is: Renew Windows SSL certificate when no key available.


IIS: Export Private Key Option is Grayed When Exporting a Server Certificate


Solution for the above doesn't apply:

    Yes, you would have to reissue the certificate if the private key
    cannot be exported. Generate a new CSR on the Linux box that you want to
    install the certificate to and follow these instructions to replace
    (reissue) your certificate based on that new CSR ...

    The agent is sending you to