This procedure will help you to move or copy your SSL certificate, installed on an IIS server to an Apache server.
Step 1: Export IIS certificate into a .PFX file
- Run mmc.exe
- Click the ‘Console’ menu and then click ‘Add/Remove Snap-in’.
- Click the ‘Add’ button and then choose the ‘certificates’ snap-in and click on ‘Add’.
- Select ‘Computer Account’ then click ‘Next’.
- Select ‘Local Computer’ and then click ‘OK’.
- Click ‘Close’ and then click ‘OK’.
- Expand the menu for ‘Certificates’ and click on the ‘Personal’ folder.
- Right click on the certificate that you want to export and select ‘All tasks’ -> ‘Export’.
- A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.
Step 2: Extract the private key
Export the private key file from the .PFX file.
$ openssl pkcs12 -in filename.pfx -nocerts -out key.pem
Step 3: Extract the certificate file
Export the certificate file from the .PFX file.
$ openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
Step 4: Remove the passphrase
This command removes the passphrase from the private key so Apache won’t prompt you for your passphase when it starts.
$ openssl rsa -in key.pem -out server.key
Make sure that the following lines are present in your apache virtual host configuration file and they are correct:
SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /path/to/certificate/cert.pem SSLCertificateKeyFile /patch/to/key/server.key
Don’t forget to restart apache at the end.
3 Replies to “Moving SSL Certificate from IIS to Apache”
You saved the day!
I had a 5 domain Godaddy renewal cert. I do not have the original key but was able to get the renewal cert loaded into IIS. (I didn’t want to rekey it and go thru all that nonsense again)
Took your instructions and was able to export the cert and server key for use in my Linux based appliances.
Thank you for your post. Its straight forward and direct to point guide. If i read this before i will save my lots of time.
Thanks for posting.
Thank you a lot – although SSL 3.0.5 forced me to some more parameters ( -provider-path, -legacy) because of output errors.