Migrating SSL Cert from IIS to Apache

Published: {ts '2010-09-11 00:00:00'}
Author: Steven Neiland
Site Url: http://www.neiland.net/article/migrating-ssl-cert-from-iis-to-apache/

I recently migrated a website from a server running IIS 6.0 to one running Apache 2.2.x . While the migration of the sites was a snap, I also had to migrate the SSL certificate, and this was a little more involved. Here are the steps I used.

Note: The new server was also a Windows box so I installed the Apache binary with openssl. Your apache installation may need to be recompiled with ssl for it to function depending on your OS.

Step 1: Export .pfx file

When migrating a ssl cert from one server to another you will need both the public key files (your SSL certificate files, provided by your Issueing Authority)and the associated private keys (generated by your server at the time the CSR was generated) for the SSL certificate to function. For this reason a PFX backup is always needed to transfer an SSL server security certificate from one server to another.

Under windows do the following steps

  1. From the Start menu, select "Run...". Type "mmc" and hit Enter.
  2. Under the File menu choose Add/Remove Snap in.
  3. Click Add, then from the Add Standalone Snap-in panel choose Certificates, and click Add.
  4. Choose Computer Account and click Next, then choose Local Computer and click Finish.
  5. Close the Add Standalone Snap-In window by clicking Close.
  6. Close the Add/Remove Snap-in window by clicking Ok.
  7. Click the + to Expand the Certificates (Local Computer) Console Tree
  8. Look for the Personal directory/folder and select Certificates.
  9. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
  10. Follow the Certificate Export Wizard to backup your certificate to a .pfx file
  11. Choose to 'Yes, export the private key'
  12. Choose to include all certificates in certificate path if possible. (do NOT select the delete Private Key option)
  13. Leave default settings > Enter Password (if required)
  14. Choose to save file on a set location eg "desktop/mysite.pfx"
  15. Finish, you will receive a message > Export Successful
  16. Copy the created pfx file to the apache server

Step 2: Import the ssl cert to apache

  1. Open openssl.exe in the "apache/bin/" directory
  2. Export the client certificate file from the pfx file using this command //change mysite to whatever you named your pfx file from step 1 above openssl> pkcs12 -in mysite.pfx -clcerts -nokeys -out mysite.crt
  3. Export the DigiCert intermediate certificate file (DigiCertCA.crt) from the pfx file using this command //change mysite to whatever you named your pfx file from step 1 above openssl> pkcs12 -in mysite.pfx -cacerts -nokeys -out DigiCertCA.crt
  4. Export the private key file from the pfx file using the following command //change mysite to whatever you named your pfx file from step 1 above openssl> pkcs12 -in mysite.pfx -nocerts -out mysite.key
  5. Remove the passphrase from the private key so Apache won't prompt you for your passphase when it starts openssl> rsa -in mysite.key -out mysite.key

Alternative Method: For Info only,You can skip this

Alternatively you can write a text file from which to extract the key

openssl> pkcs12 -in mypfxfile.pfx -out outputfile.txt -nodes

The above command would have created a text file named outputfile.txt. Open this file with a text editor and you will see the private key listed first:

-----BEGIN RSA PRIVATE KEY----- (Block of Random Text) -----END RSA PRIVATE KEY-----

Copy and paste all of the private key, including the BEGIN and END tags to a new text file and save it as your_domain_name.key

-----BEGIN CERTIFICATE----- (Block of Random Text) -----END CERTIFICATE-----

Copy and paste all of the private key, including the BEGIN and END tags to a new text file and save it as your_domain_name.cert

Step 3: Enable SSL on Apache

Assuming you installed apache with the openssl module the next step is to enable it. uncomment the relevent line in the loadmodules section of httpd.conf.

LoadModule ssl_module modules/mod_ssl.so

Next ensure that apache is listening on port 443. In older versions of apache the ssl settings were included in the main conf file. In that instance you would add the listen directive in the main conf file.

Listen 443

For me however the ssl settings have been moved into a seperate text file "extras/httpd-ssl.conf" so I simply uncommented the relevent include file in the main conf file.

# Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf

Step 4: Configure the SSL site

A SSL enabled site is seperate from the non ssl version. Even though they may have the same codebase they are seperate entities as far a as Apache is concerned. For this reason you will have to create a new vhost for the SSL site, where you replace the port 80 with 443.

The SSL site will have all the same settings as the non-ssl site with the following additions #non ssl version of site //configuration settings #ssl version of site //configuration settings SSLEngine on SSLCertificateFile /path/to/mysite.crt SSLCertificateKeyFile /path/to/mysite.key SSLCertificateChainFile /path/to/DigiCertCA.crt

Step 5: Test

At this stage your ssl cert should be installed correctly. To test restart apache then enter the address https://your_site_url into a web browser (note the s at the end of http). You should see your site as normal but with SSL enabled.