Friday, June 11, 2010

How to move a SSL Certificate from Server to Server?

SkyHi @ Friday, June 11, 2010
There may be certain instances in which an SSL certificate must be moved from one server to another. An SSL certificate is bound to the server software and the common name. Therefore, the certificate and its corresponding private key may be exported from the original server and imported into the target server as long as both servers run the same server software (i.e. Apache to Apache) and the target server will be hosting a site that matches the common name. To do this copy the .key and the .crt files to be imported into the new servers certificate
control panel.

Suppose, you have purchased a new Linux server and going to transfer all your domains residing on existing server to new server. In such case, you may require to transfer the shared SSL certificate installed on your domain to new server.

If your domain name and host name remains same for both the servers then you can directly transfer existing SSL certificate for the domain hosted on old server to a new server.

You just need to copy and paste following files from your old server to new server:

* /etc/httpd/conf/ssl.key (private key)
* /etc/httpd/conf/ssl.csr ( CSR key)
* /etc/httpd/conf/ssl.crt (certificate file)


Moving SSL Certs from IIS to Apache

I found some instructions for converting SSL certificates generated for IIS to private key, and cert files you can use on unix, or Apache for windows.

First Export your IIS certificate into a pfx file (this is something you should do anyways for backup)

* Run mmc.exe
* Click the 'Console' menu and then click 'Add/Remove Snap-in'.
* Click the 'Add' button and then choose the 'certificates' snap-in and click on 'Add'.
* Select 'Computer Account' then click 'Next'.
* Select 'Local Computer' and then click 'OK'.
* Click 'Close' and then click 'OK'.
* Expand the menu for 'Certificates' and click on the 'Personal' folder.
* Right click on the certificate that you want to export and select 'All tasks' -> 'Export'.
* A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.

Next run openssl to extract the private key, and the cert file.

# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key