Entrust Certificate Services Support Knowledge Base

Audience: Administrator
Last Modified: 2006-09-12 13:30:53.0

TN 5778 - How do I move an IIS 5 or 6 certificate to an Apache server?

Before following these steps, you must be logged in to the computer that is hosting your site with full administrative privileges.  There are three main steps involved. 

Step 1:  Performed on IIS 5 or 6

The Certificates snap-in utility must be added first.

Snap-In Configuration

On the server hosting the site, use the following steps to create a new Microsoft

Management Console (MMC) and add the Certificates snap-in:

Click Start, and then click Run.
Type in "MMC" (without the quotation marks) and click OK.
Click Console in the new MMC you created, and then click Add/Remove Snap-in.
In the new window that appears, click Add.
Highlight Certificates, and then click Add.
Choose the Computer account option and click Next.
Select Local Computer on the next screen, and then click Finish.
Click Close, and then click OK.

Step 2: Perform on IIS 5 or 6

Exporting your keypair (private and public keys):
From the MMC Console opened in the above steps: Expand the 'Certificates' tree in the left preview panel
Expand the 'Personal' tree in the left preview panel and highlight 'Certificates'
Select and Right-click your certificate from the right preview panel
Select All Tasks/ Export - The Certificate Export Wizard appears
Select Next to continue.
Select Yes, to export the private key
Select Next to continue.
Ensure 'Enable Strong Protection' is checked, click Next
Supply and confirm a password for your keypair back up.

N.B. It is very important that you remember this password. If you forget it you will not be able to gain access to your Private Key.

Supply a file name and location for your keypair back up. This will create a PFX file.

N.B. Store your PFX keypair backup onto some form of removable media to ensure it is not lost.

Select Next to continue.
Select Finish.
Select OK to complete the Export.
You have successfully backed up your keypair (private and public key).

Convert the PFX file for Apache

Step 3: Perform on Apache Server

Move your PFX file to the Apache server.  To convert the .pfx file to a  file that your Apache server will understand

Run the following command using OPENSSL:

1. To export the Private key file from the .pfx file
openssl pkcs12 -in filename.p12  -nocerts -out privatekey.key
2. To export the Certificate file from the .pfx file
openssl pkcs12 -in filename.p12 -clcerts -nokeys -out sslcert.crt

filename.p12 (is your existing IIS PFX file)
privatekey.key (is your new exported private key file)
ssl.crt (is your new exported your Entrust SSL certificate)

3. You now need to copy the  files to the locations as described in the httpd.conf
4. To find out where the files should be copied to run this on the httpd.conf

cat httpd.conf | grep SSLCertificateFile  (this will give you the location of where to copy the certificate file)

cat httpd.conf | grep SSLCertificateKeyFile (this will give you the location of where to copy the key file)

5. You will now need to restart apache

Affected Products:

• Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 1 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Cert Admin Advantage Server Certificate 1 Year Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Cert Admin Advantage Server Certificate 2 Year Version Not Applicable Language Not Applicable Platform Not Applicable