Move or copy an SSL certificate from a Windows server to another Windows server

If you have multiple Windows servers that need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard or UC SSL certificates, you can export the certificate to .pfx file and import it on a new Windows server. This may also be necessary when you switch hosting companies. We will go over the exact process with step-by-step instructions in this article. If necessary, you can copy the SSL certificate to an Apache or other type of server.

We will assume that you have already successfully installed the SSL certificate on one Windows web server. You will follow these steps to move or copy that working certificate to a new server:

  1. Export the SSL certificate from the server with the private key and any intermediate certificates into a .pfx file.
  2. Import the SSL certificate and private key on the new server.
  3. Configure your web sites to use them in IIS.

On a Windows server you will need to export your certificate from the MMC console to a .pfx file with your private key. You can then copy that .pfx file to the new Windows server and import it. The following screenshots are from a Windows Server 2008 machine but any differences for Windows Server 2003 are noted.

Export the certificate from the Windows MMC console

Note: These instructions will have you export the certificate using the MMC console. If you have Windows Server 2008 (IIS7) you can also import and export certificates directly in the Server Certificates section in IIS. Click here to hide or show the images

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.

  3. Click on the File menu and click Add/Remove Snap-in...

  4. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.

  5. Click on Computer Account and click Next.

  6. Leave Local Computer selected and click Finish.

  7. If you are using Windows Server 2003, click the Close button. Click OK.

  8. Click the plus sign next to Certificates in the left pane.

  9. Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export...

  10. In the Certificate Export Wizard click Next.

  11. Choose "Yes, export the private key" and click Next.

  12. Click the checkbox next to "Include all certificates in the certification path if possible" and click Next.

  13. Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.

  14. Click Browse and find a location to save the .pfx file to. Type in a name such as "mydomain.pfx" and then click Next.

  15. Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.

Import the certificate in the Windows MMC console

After you have exported the certificate from the original server you will need to copy the .pfx file that you created to the new server and follow these import instructions.

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.

  3. Click on the File menu and click Add/Remove Snap-in...

  4. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.

  5. Click on Computer Account and click Next.

  6. Leave Local Computer selected and click Finish.

  7. If you are using Windows Server 2003, click the Close button. Click OK.

  8. Right-click on the Personal folder and select All Tasks and then Import...

  9. In the Certificate Import Wizard click Next.

  10. Click the Browse button and change the file type from "X.509..." to "Personal Information Exchange (*.pfx, *.p12)". find the .pfx file that you copied over and click Open and then Next.

  11. Enter the password that you set when you exported the .pfx file and click "Mark this key as exportable" so you can export the certificate from this machine as well as the original. Click Next.

  12. Click "Automatically select the certificate store based on the type of certificate" and click Next.

  13. Click Finish to complete the wizard.

  14. You can now click the Refresh button in the toolbar to refresh and find your certificate in the Certificates folder under Personal. You can verify that it was imported correctly by double-clicking it and looking for "You have a private key that corresponds to this certificate" at the bottom of the certificate dialog.

  15. Close the MMC console. You do not need to save any changes.

Assigning the SSL certificate

After you have imported the .pfx file, you will either need to assign the certificate in IIS, enable the certificate for the services you need in Exchange or select the certificate in any other software that you are using. Because IIS is the most common place to use SSL certificates, we have included the instructions for assigning a website to use the new certificate in IIS 6 (Windows Server 2003). If you have Windows Server 2008, just follow the binding part of the IIS 7 SSL Certificate Installation instructions.

  1. In IIS, right-click on the website that needs the certificate and click on Properties.
  2. Click the Directory Security tab and click on the Server Certificate button to run the server certificate wizard.
  3. If you already have a certificate on that website you will need to remove it and then start the wizard again.
  4. Click "Assign an existing certificate" and click Next.
  5. Select the new certificate that you just imported and click Next.
  6. Click Finish. You may need to restart IIS for the certificate to start working with the assigned website.

While there are several steps in the process, moving an SSL certificate from one Windows server to another is an easy task. It involves exporting a working SSL certificate from the MMC console to a .pfx file which contains the certificates and private key and then importing that file in the MMC console of the new or additional server. You will then need to assign or bind the certificate to a website in IIS in order to start using it on a website. If you need to move your SSL certificate to or from a different type of server, select the server type on our main SSL Certificate Import/Export Page

Digg del.icio.us Reddit

Posted on September 26, 2006
ServerMover
Posts: 11
Comment
Thanks
Reply #14 on : Sat April 13, 2013, 15:08:22
I have used your guide to move 3 SSL's over the course of a few months. Thanks!!!
Paul Apostolos
Posts: 11
Comment
Perfect
Reply #13 on : Tue February 26, 2013, 06:19:24
Just what I needed. Moving IIS 6 to new server IIS 7 this was spot on.
dtripp
Posts: 11
Comment
combined a lot of research into one
Reply #12 on : Thu June 07, 2012, 13:03:41
Thanks for the great step by step, it saved me a lot of headache and research!
Simon Turner
Posts: 11
Comment
File type not recognizabel
Reply #11 on : Mon April 30, 2012, 10:23:43
I've gone through this a few times to check I'm going it all right but whatever I do I always receive 'The file type is not recognizable. Select another file' when I try to import it. I'm using a wildcard (i.e. multi-domain) certificate and imagine that this might have something to do with the problem.
onder gultekin
Posts: 11
Comment
Very Nice
Reply #10 on : Thu April 26, 2012, 14:01:08
This site is very valuable for understanding SSL.

Very good and practical explanations
Question
Posts: 11
Comment
Question
Reply #9 on : Fri August 05, 2011, 09:58:07
Thank you very much, but how can i do that with server windows 7
Gary
Posts: 11
Comment
Re: Move or copy an SSL certificate from a Windows server to another Windows server
Reply #8 on : Fri October 30, 2009, 05:54:04
This will not work when the oringal cert supplied by the SSL provider hasn't been marked with Private key exportable.
You can identify this if the little key icon (top left) isn't displayed as in the picture on step 9.
Robert
Posts: 3
Comment
Re: export/import pfx
Reply #7 on : Thu August 13, 2009, 19:05:43
Hi Aaron,

The main advantage with exporting the certificate through the MMC console instead of directly in IIS is that you can include the Intermediate certificates (if there are any) in the .pfx. Without those, the certificate won't be trusted on the server that you import the .pfx on.
Aaron
Posts: 11
Comment
export/import pfx
Reply #6 on : Wed August 12, 2009, 13:22:58
Why use the method above rather than IIS Manager to export from one server and import on the other server?
Robert
Posts: 3
Comment
Re: Question
Reply #5 on : Fri June 26, 2009, 18:32:09
Yes, both server will need to match the name(s) in the certificate. If the certificate only covers one name, then the FQDN will need to be exactly the same. If it covers multiple (like in the case of a wildcard or SAN certificate), it will just need to be covered by the certificate you are importing.
JS
Posts: 11
Comment
Question
Reply #4 on : Fri June 26, 2009, 13:41:15
Thanks! One other question, I assume that both the old and new server have to have an identical FQDN, yes?
Robert
Posts: 3
Comment
Re: Question
Reply #3 on : Thu June 25, 2009, 20:34:35
Hi JS. This doesn't disable the certificate on the original server.
JS
Posts: 11
Comment
Question
Reply #2 on : Thu June 25, 2009, 09:46:58
Will the original server still be able to run as usual or does this disable SSL on the original server?
Deepak
Posts: 11
Comment
Thanks - very easy to follow
Reply #1 on : Mon June 08, 2009, 14:25:11
Thanks for a very well explained step by step article. Made my life simple. Thanks !!

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment