Move or copy an SSL certificate from a Windows server to an Apache server

If you have multiple servers that need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard or UC SSL certificates, you can export the certificate from the Windows certificate store to .pfx file and then convert the file to individual certificate and private key files and use it on an Apache server. This may also be necessary when you switch hosting companies. We will be going over the exact process with step-by-step instructions in this article. If necessary, you can copy the SSL certificate from an Apache server to a Windows server instead.

We will assume that you have already successfully installed the SSL certificate on the Windows web server. You will follow these steps to move or copy that working certificate to the Apache server:

  1. Export the SSL certificate from the Windows server with the private key and any intermediate certificates into a .pfx file.
  2. Convert the .pfx file to individual certificates and private keys.
  3. Import the SSL certificates and private key on the new server.
  4. Configure your Apache web sites to use the certificate.

The following screenshots are from a Windows Server 2008 machine but the instructions will also work for older (Windows Server 2003) and newer versions (Windows Server 2016).

Export the certificate from the Windows MMC console

Note: These instructions will have you export the certificate using the MMC console. If you have Windows Server 2008 or higher (IIS7 or higher) you can also import and export certificates directly in the Server Certificates section in IIS. Click here to hide or show the images

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.

  3. Click on the File menu and click Add/Remove Snap-in...

  4. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.

  5. Click on Computer Account and click Next.

  6. Leave Local Computer selected and click Finish.

  7. If you are using Windows Server 2003, click the Close button. Click OK.

  8. Click the plus sign next to Certificates in the left pane.

  9. Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export...

  10. In the Certificate Export Wizard click Next.

  11. Choose "Yes, export the private key" and click Next.

  12. Click the checkbox next to "Include all certificates in the certification path if possible" and click Next.

  13. Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.

  14. Click Browse and find a location to save the .pfx file to. Type in a name such as "mydomain.pfx" and then click Next.

  15. Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.

Convert the .pfx file using OpenSSL

After you have exported the certificate from the Windows server you will need to extract all the individual certificates and private key from the .pfx file using OpenSSL (instead of using OpenSSL, you can use the SSL Converter to convert the .pfx file to a .pem file and then follow step 3).

  1. Copy the .pfx file to the server or another computer that has OpenSSL installed.
  2. Run this OpenSSL command to create a text file with the contents of the .pfx file:

    openssl pkcs12 -in mydomain.pfx -out mydomain.txt -nodes

  3. Open the mydomain.txt file that the command created in a text editor. Copy each certificate/private key to its own text file including the "-----BEGIN RSA PRIVATE KEY-----" and "-----BEGIN CERTIFICATE-----" headers. Save them with names such as mydomain.key, mydomain.crt, intermediateCA.crt, etc.

Assigning the SSL certificate to a website

After you have converted the .pfx file, you will need to copy the newly created files to the Apache server and edit your Apache configuration file to use them. Just follow our Apache SSL Installation instructions to do this.

While there are several steps in the process, moving an SSL certificate from one Windows server to an Apache server is quite simple. It involves exporting a working SSL certificate from the MMC console to a .pfx file which contains the certificates and private key and then converting that file to separate files. You can then copy the files to the Apache server and install the certificate like normal. If you need to move your SSL certificate to or from a different type of server, select the server type on our main SSL Certificate Import/Export Page

Originally posted on Sun Nov 9, 2008