Usually, the only time when you will have to migrate an SSL certificate for a domain by hand is when one server is running apache and the other is running IIS. In this article, we will cover moving certificates back and forth between the servers. The key point to remember is that Apache ususally keeps the certs in a plaintext file protected by the OS, and IIS uses its own password protection to store a certificate.
In reality a certificate always contains the cert itself, and an associated key called the Private RSA Key. Both are necessary for the certificate as a whole to work properly.
1. Converting a plaintext certificate into a password-protected .pfx file for use in importing into IIS
In order to convert the plaintext password, we will need to combine the key with the cert as I discussed earlier. A good naming convention is www.domain.com.key and www.domain.com.crt. You will want to combine these two files into a .pem file. You can do this using OpenSSL on any Linux server running apache. Enter the following commands
cat www.domain.com.key www.domain.com.crt > www.domain.com.pem <-- this combines the two files
openssl pkcsl2 -export -in www.domain.com.pem -out www.domain.com.pfx
You will be prompted twice to create a password. Rememeber this as you will need it to install the cert in IIS.
You will then have a proper .pfx file IIS can understand. Now you can transfer the certificate to your windows server. I find the best way is to use an application called OpenSCP. It is an SCP (Secure Copy Protocol) client for windows. You can use it to login to your linux server, navigate to the directory the .pfx file is located, and then transfer it.
On your windows server, open up IIS and go to Web Sites > (domain.com) > Right-Click > Properties > Directory Security > Server Certificate > Import from a .pfx file > Locate file > enter password
Your cert should be installed.
2. If you are transferring a .pfx certificate from IIS to plaintext in apache, you will have to make sure that the private key is marked as exportable. The problem is that it does not behave this way on default. I recommend always marking the private key as exportable whenever you install a certificate into IIS. Anyway, you can export the certificate .pfx file in the same manner you imported it in IIS, except the password you type in creates one you will need for later.
You can use OpenSCP again to transfer the .pfx file to the linux server. Once on the linux server, you can convert the .pfx file back into a plaintext .pem file using the proper command with OpenSSL:
openssl pkcsl2 -in www.domain.com.pfx -out www.domain.com.pem --nodes
You will be asked for the password you created when importing from IIS. Now you will have the key and cert in plaintext. Use a text editor to separate them into www.domain.com.key and www.domain.com.crt files, respectively. Then follow your control panel's instructions on how to install the certificate.
In reality a certificate always contains the cert itself, and an associated key called the Private RSA Key. Both are necessary for the certificate as a whole to work properly.
1. Converting a plaintext certificate into a password-protected .pfx file for use in importing into IIS
In order to convert the plaintext password, we will need to combine the key with the cert as I discussed earlier. A good naming convention is www.domain.com.key and www.domain.com.crt. You will want to combine these two files into a .pem file. You can do this using OpenSSL on any Linux server running apache. Enter the following commands
cat www.domain.com.key www.domain.com.crt > www.domain.com.pem <-- this combines the two files
openssl pkcsl2 -export -in www.domain.com.pem -out www.domain.com.pfx
You will be prompted twice to create a password. Rememeber this as you will need it to install the cert in IIS.
You will then have a proper .pfx file IIS can understand. Now you can transfer the certificate to your windows server. I find the best way is to use an application called OpenSCP. It is an SCP (Secure Copy Protocol) client for windows. You can use it to login to your linux server, navigate to the directory the .pfx file is located, and then transfer it.
On your windows server, open up IIS and go to Web Sites > (domain.com) > Right-Click > Properties > Directory Security > Server Certificate > Import from a .pfx file > Locate file > enter password
Your cert should be installed.
2. If you are transferring a .pfx certificate from IIS to plaintext in apache, you will have to make sure that the private key is marked as exportable. The problem is that it does not behave this way on default. I recommend always marking the private key as exportable whenever you install a certificate into IIS. Anyway, you can export the certificate .pfx file in the same manner you imported it in IIS, except the password you type in creates one you will need for later.
You can use OpenSCP again to transfer the .pfx file to the linux server. Once on the linux server, you can convert the .pfx file back into a plaintext .pem file using the proper command with OpenSSL:
openssl pkcsl2 -in www.domain.com.pfx -out www.domain.com.pem --nodes
You will be asked for the password you created when importing from IIS. Now you will have the key and cert in plaintext. Use a text editor to separate them into www.domain.com.key and www.domain.com.crt files, respectively. Then follow your control panel's instructions on how to install the certificate.
No comments:
Post a Comment