Problem
Move Certificate from Microsoft IIS 5.0 to Apache
Resolution
Create an MMC Snap-in for Managing Certificates:
1. Select Start, then Run and MMC
2. Go into the Console Tab, then File and Add/Remove Snap-in
3. Click on Add then Certificates and Add
4. Choose Computer Account then choose Local Computer
5. Close the Add Standalone Snap-in window.
6. Select OK at the Add/Remove Snap-in window.
Export your certificate and private key .pfx file from IIS5:
1. Open the Certificates (Local Computer) snap-in you added in the last section, browse to Personal, and Certificates.
2. You Web server certificate will appear, denoted by the CN (Common Name) found in the Subject field of the certificate (with Microsoft Internet Explorer 5.0, you can easily view the certificate to see the Common Name if you are unsure).
3. Right-click on the server certificate, then select All Tasks and click Export.
4. When the wizard starts, click Next. Choose to export the private key, and click Next again
Note: If you export the certificate to use on an IIS Web server, do not choose Require Strong Encryption. This option may cause a password prompt every time an application attempts to access the private key, and cause IIS failure.
5. The file format you will want to choose is the Personal Information Exchange (though you can select from several options). This will create a PFX file.
- Notice that you can export any certificates in the certification path by selecting the option on this screen. This is very handy if your certificate was issued by a non-trusted certificate authority (for example, Microsoft Certificate Server). You must only choose to delete the private key when the export is successful to be sure it does not remain on your computer (for example if you carry out a migration from one server to another).
6. Click Next, then choose a password for protecting the PFX file. You will need to enter the same password twice to make sure that the password is typed correctly. When you have completed this step, click Next.
7. Select the file name you want to save this as. Do not include an extension in your file name; the wizard will automatically add the PFX extension for you.
8. Click Next, and read the summary. Pay special attention to where the file is being saved to. If you are sure of the relevance of the information, select Finish.
9. You now have a PFX file containing your server certificate and its corresponding private key. Ensure you keep this file safe and private.
You may want to move it to removable media and store it somewhere safe from disturbance. Keep in mind, if you run a backup on the server, you can save this file in that backup if it is still on the server.
To convert the .pfx file to a file that your Apache server will understand
Run the following command using OPENSSL:
1. Export the Private key file from the .pfx file: openssl pkcs12 -in filename.pfx -nocerts -out key.pem
2. Export the Certificate file from the .pfx file: openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
3. Copy the files to the locations as described in the httpd.conf
4. To find out where the files should be copied to run this on the httpd.conf
- cat httpd.conf | grep SSLCertificateFile (this will give you the location of where to copy the certficate file)
- cat httpd.conf | grep SSLCertificateKeyFile (this will give you the location of where to copy the key file)
5. Restart the http daemon
You can use the following command: openssl rsa -in key.pem -out server.key, if you do not wish to include a passphrase.