Problem
You want to move your certificate from Apache to IIS 5
Resolution
1. Convert the keypair to a P12 format (PFX)
Openssl pkcs12 -export -out file.p12 -inkey privatekey.key -in certificate.crt with:
- "file.p12" is your new container file
- "Privatekey.key" is the name of your existing private key
- "certificate.crt" is your SSL certificate
Example:
[root@Apache9 conf]# openssl pkcs12 -export -out keypair.p12 -inkey /etc/httpd/conf/ssl.key/apache9-0.key -in /etc/httpd/conf/ssl.crt/apache9-0.crt
Enter pass phrase for /etc/httpd/conf/ssl.key/apache9-0.key:
Enter Export Password:
Verifying - Enter Export Password:
[root@Apache9 conf]#
For proceeding the following steps, you must know the current password of the original private key if set at the time the private key was created.
Then, you may specify a password for the export file and transfer this file to your IIS 5.0 machine that is going to host the site.
2. Adding your Certificate Snap-In
Once you have transferred the P12 file to the IIS 5.0 machine, the Certificates snap-in utility must be installed in order to import your P12 file.
In Windows 2000 Use the following steps to create a new Microsoft Managua Console (MMC) and add the
- Click Start then Run.
- Type in "MMC" (without the quotation marks) then click OK.
- Click Console in the new MMC you created, and then click Add/Remove Snap-in.
- In the new window that appears, click Add.
- Highlight Certificates, and click Add.
- Choose the Computer account option and select Next.
- Select Local Computer on the next screen, and then click Finish.
- Click Close and OK.
3. Importing your P12 file:
From the MMC, run the following commands:
- Expand the 'Certificates' tree in the left preview panel
- Right-click 'Personal'
- Select All Tasks/Import - The Certificate Import Wizard appears.
- Select Next to continue.
- Browse to, and Select your P12 keypair file.
- Select Next to continue.
- Enter the password which was provided during the creation of the P12 keypair file.
Note: Ensure that the 'Mark the key as exportable' option is selected if you want to enable the certificate export again from this computer. For safety reasons, you may want to leave this option unchecked to ensure that no one can make a backup of your private key.
- Select Next twice to continue and Finish
- Select OK to successfully import the P12 certificate into the Windows certificate store
4. Assign the certificate to the IIS 5.0 site
To enable IIS 5.0 to use this certificate please follow the steps proceeding:
- Go into the properties of the site then choose the Directory Security tab
- Click on Server Certificate button under Secure Communication area.
- Choose the option "Assign an existing certificate". A pop up will appear with your certificate.
- Choose the certificate and finish the wizard. Make sure that SSL Port 443 is open on the firewall and within IIS 5 (default tab)
- Stop and Restart the website.