Introduction
Sometimes it is required to transfer your domains from one server to another and a related concern that often arise is, What to do with the SSL certificates?. Yes, it is possible to transfer SSL certificates used with the domain in one server to another along with the domain. Interestingly, it is possible to transfer the certificates used with your Linux/Apache/nginx servers to a Windows/IIS server and vice versa. Every server require its SSL certificate in a specific format for the server to process it, the Windows/IIS setup require the SSL in .pfx format but the Linux/Apache or Nginx servers require the certificate in .crt format and other servers like Haproxy require it in .pem format. All you need to do is export the certificates from its currently installed server and convert them to the correct certificate format as per the destination server requirement. Make sure you are exporting the certificates with its private key and any intermediate certificates used along with that certificate. We are going to discuss the exporting of SSL certificates from different server types, their conversion and installation of the converted certificates in their destination.
#1 Moving an SSL certificate from one IIS server to another IIS server.
This is a pretty straight forward operation as no SSL conversion is required since both the servers are IIS which use the same .pfx format for its certificates. The steps are as described below.
1.) Open IIS as administrator and find the “Server Certificates” option from the Home window
2.) Select the certificate that you want to export from the list, right click on it and click the Export option. You will see the common name to which the certificate issued, the issuer of the certificate, its expiration date etc in this window.
3.) The selected export will ask you for the destination directory location for the exported certificates and a password for protecting the exported certificates. Please note down the password if you are using once since it will be required at the time of importing these certificates to another server.
4.) Copy the certificate from its exported location and move it to a location in your destination IIS server. Open IIS in your destination server as administrator, open “Server Certificates” from the Home screen options and select the import option from left side pane. Browse and select the certificate file from its location, provide the password that you used to export the certificate from the other server, click ‘Ok’. This will import the certificate to IIS and it will be listed in server certificates.
5.) Now you can proceed installing this imported certificate for your domain. Open IIS with administrator privileges, expand the “Sites”, click on the website to which you want to install the certificate. Click on ‘Bindings’ from the left side pane, click on ‘Add’ button, Select the imported SSL certificate from the dropdownliast, add host name and click ‘Ok’ button.
Restart the website from the left pane ‘Manage Web Site’ option.
#2 Copying SSL From a Windows/IIS Server to Linux/Apache Server
1.) Export the certificates from the Windows IIS server as described in the above tutorial (steps 1, 2 and 3)
2.) Copy the exported .pfx certificate from the Windows server to the Linux server. You can use applications like WinSCP, or FTP service in Linux server to transfer the certificates.
3.) Open the command terminal in Linux server and execute the below command to convert the .pfx certificate to the .crt and private key format.
openssl pkcs12 -in eurovps.pfx -out testconvert.txt -nodes
** replace testexport.pfx with the filename of your exported .pfx file and replace testconvert.txt with the filename that you want to use for the converted certificate file.
The converted .txt file will have two parts, the private key section and the certificate section. Copy the text included in —–BEGIN PRIVATE KEY—– to —–END PRIVATE KEY—– to another file and name it as the domain.key file. Copy the text included in —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– to another file and name it as domain.crt. These are the private key and certificate for the domain that you can install directly in Apache, Nginx or from a control panel like Plesk/cPanel etc. If the command line conversion is difficult, you can use an online SSL converter like https://www.sslshopper.com/ssl-converter.html.
#3 Copy SSL Certificates from an Apache Server to Another Apache Server.
1.) You can find the SSL certificate file location in the source server from its Apache configuration file. The Apache config is normally available in any of the below locations.
/etc/apache2/conf/httpd.conf
/etc/httpd/conf/httpd.conf /etc/apache2/apache2.conf /etc/httpd/httpd.conf
You can also use the the command ‘httpd -V’ from terminal and it will list the loaded configuration file for Apache.
2.) Open the Apache configuration file in your favourite text editor and locate the virtual host section for the domain. The virtual host for the domain can be identified by searching the ‘ServerName’ directive. If you are looking for the virtual host of domain.com, its virtual host will have the ServerName entry as shown below.
—
ServerName domain.com
—
All the virtual host directives of domain.com will be with in the virtualhost tags like shown below.
—
<VirtualHost 123.456.789.10:443>
ServerName domain.com
ServerAlias www.domain.com mail.domain.com
DocumentRoot /var/ww/html/domain.com
—
SSLEngine on
SSLCertificateFile /etc/ssl/crt/primary.crt
SSLCertificateKeyFile /etc/ssl/crt/private.key
SSLCertificateChainFile /etc/ssl/crt/intermediate.crt
…..
….
…
..
.
</VirtualHost>
Identify the SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile locations from the domain’s virtualhost, copy the files from these locations and move them to same or a custom location in the destination server. Modify the domain’s Apache virtualhost entry in destination server with SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile wirth the certificate location.
Test Apache configuration syntax (apachectl configtest) and reload the Apache configuration (service httpd reload) to load the newly added SSL for the domain.
#4 Copying SSL certificates from Linux/Apache Server to Windows IIS Server
1.) Identify the file locations of SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile from the Apache virtualhost for the domain.(refer #3.1 and #3.2)
2.) Copy the files to a test directory in server.
—
mkdir /root/ssl/
cp /etc/ssl/crt/primary.crt /root/ssl/primary.crt
cp /etc/ssl/crt/private.key /root/ssl/private.key
cp /etc/ssl/crt/intermediate.crt /root/ssl/intermediate.crt
—
3.) Use the below noted openssl command to convert the certificates and key to the .pfx format.
—
openssl pkcs12 -export -out eurovpstest.pfx -inkey /root/ssl/private.key -in /root/ssl/primary.crt -certfile /root/ssl/intermediate.crt
—
Replace eurovpstest.pfx with the filename that you prefer.
After converting the files, upload them to the Windows server using FTP and import it to IIS as described in #1.4 and #1.5