Tired of managing certificates? Automate it with ZeroSSL   Learn about ZeroSSL Automation x

Move or copy an SSL certificate from a Windows server to another Windows server

If you have multiple Windows servers that need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard or UC SSL certificates, you can export the certificate to .pfx file and import it on a new Windows server. This may also be necessary when you switch hosting companies. We will go over the exact process with step-by-step instructions in this article. If necessary, you can copy the SSL certificate to an Apache or other type of server.

We will assume that you have already successfully installed the SSL certificate on one Windows web server. You will follow these steps to move or copy that working certificate to a new server:

  1. Export the SSL certificate from the server with the private key and any intermediate certificates into a .pfx file.
  2. Import the SSL certificate and private key on the new server.
  3. Configure your web sites to use them in IIS.

On a Windows server you will need to export your certificate from the MMC console to a .pfx file with your private key. You can then copy that .pfx file to the new Windows server and import it. The following screenshots are from a Windows Server 2008 machine but the instructions will also work for older (Windows Server 2003) and newer versions (Windows Server 2016).

Export the certificate from the Windows MMC console

Note: These instructions will have you export the certificate using the MMC console. If you have Windows Server 2008 or higher (IIS7 or higher) you can also import and export certificates directly in the Server Certificates section in IIS. Click here to hide or show the images

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.

  3. Click on the File menu and click Add/Remove Snap-in...

  4. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.

  5. Click on Computer Account and click Next.

  6. Leave Local Computer selected and click Finish.

  7. If you are using Windows Server 2003, click the Close button. Click OK.

  8. Click the plus sign next to Certificatesin the left pane.

  9. Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export...

  10. In the Certificate Export Wizard click Next.

  11. Choose "Yes, export the private key" and click Next.

  12. Click the checkbox next to "Include all certificates in the certification path if possible" and click Next.

  13. Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.

  14. Click Browse and find a location to save the .pfx file to. Type in a name such as "mydomain.pfx" and then click Next.

  15. Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.

Import the certificate in the Windows MMC console

After you have exported the certificate from the original server you will need to copy the .pfx file that you created to the new server and follow these import instructions.

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.

  3. Click on the File menu and click Add/Remove Snap-in...

  4. If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.

  5. Click on Computer Account and click Next.

  6. Leave Local Computer selected and click Finish.

  7. If you are using Windows Server 2003, click the Close button. Click OK.

  8. Right-click on the Personal folder and select All Tasks and then Import...

  9. In the Certificate Import Wizard click Next.

  10. Click the Browse button and change the file type from "X.509..." to "Personal Information Exchange (*.pfx, *.p12)". find the .pfx file that you copied over and click Open and then Next.

  11. Enter the password that you set when you exported the .pfx file and click "Mark this key as exportable" so you can export the certificate from this machine as well as the original. Click Next.

  12. Click "Automatically select the certificate store based on the type of certificate" and click Next.

  13. Click Finishto complete the wizard.

  14. You can now click the Refreshbutton in the toolbar to refresh and find your certificate in the Certificates folder under Personal. You can verify that it was imported correctly by double-clicking it and looking for "You have a private key that corresponds to this certificate" at the bottom of the certificate dialog.

  15. Close the MMC console. You do not need to save any changes.

Assigning the SSL certificate

After you have imported the .pfx file, you will either need to assign the certificate in IIS, enable the certificate for the services you need in Exchange or select the certificate in any other software that you are using. Because IIS is the most common place to use SSL certificates, we have included the instructions for assigning a website to use the new certificate in IIS 6 (Windows Server 2003). If you have Windows Server 2008, just follow the binding part of the IIS 7 SSL Certificate Installation instructions.

  1. In IIS, right-click on the website that needs the certificate and click on Properties.
  2. Click the Directory Security tab and click on the Server Certificate button to run the server certificate wizard.
  3. If you already have a certificate on that website you will need to remove it and then start the wizard again.
  4. Click "Assign an existing certificate" and click Next.
  5. Select the new certificate that you just imported and click Next.
  6. Click Finish. You may need to restart IIS for the certificate to start working with the assigned website.

Summary

While there are several steps in the process, moving an SSL certificate from one Windows server to another is an easy task. It involves exporting a working SSL certificate from the MMC console to a .pfx file and then importing that file in the MMC console of the new or additional server. You will then need to assign or bind the certificate to a website in IIS in order to start using it on a website. If you need to move your SSL certificate to or from a different type of server, select the server type on our main SSL Certificate Import/Export Page

Originally posted on Sun Nov 9, 2008

Comments


Deepak(2014-12-13)

Thanks for a very well explained step by step article. Made my life simple. Thanks !!

JS(2014-12-13)

Will the original server still be able to run as usual or does this disable SSL on the original server?

Devendra(2014-12-13)

Thanks. It helped and worked.

JS(2014-12-13)

Thanks! One other question, I assume that both the old and new server have to have an identical FQDN, yes?

Proshanto(2014-12-13)

At various times i have seen that when i right click on the certificate and go to All task i get a variety of options after clicking export(atleast about 6 to 7). what does this depend on.

Robert(2014-12-13)

Hi JS. This doesn't disable the certificate on the original server.

Aaron(2014-12-13)

Why use the method above rather than IIS Manager to export from one server and import on the other server?

ServerMover(2014-12-13)

I have used your guide to move 3 SSL's over the course of a few months. Thanks!!!

Gary(2014-12-13)

This will not work when the oringal cert supplied by the SSL provider hasn't been marked with Private key exportable.
You can identify this if the little key icon (top left) isn't displayed as in the picture on step 9.

Robert(2014-12-13)

Hi Aaron,

The main advantage with exporting the certificate through the MMC console instead of directly in IIS is that you can include the Intermediate certificates (if there are any) in the .pfx. Without those, the certificate won't be trusted on the server that you import the .pfx on.

OneSeventeen(2014-12-13)

We are migrating a server and will be running both sites side by side. This worked great to export the certificate on our existing webserver running IIS 6 on Server 2003, and I was able to import it on a replica using IIS 6 and Server 2003 without breaking anything.

We will be using the same method to import it in IIS 7 on Server 2012 R2 in a few months.

Robert(2014-12-13)

Yes, both server will need to match the name(s) in the certificate. If the certificate only covers one name, then the FQDN will need to be exactly the same. If it covers multiple (like in the case of a wildcard or SAN certificate), it will just need to be covered by the certificate you are importing.

Question(2014-12-13)

Thank you very much, but how can i do that with server windows 7

onder gultekin(2014-12-13)

This site is very valuable for understanding SSL.

Very good and practical explanations

Jo(2014-12-13)

Thank you very much, it really helped to import certs onto multiple storefront servers...

Thanks,
Jo

Ben(2014-12-13)

This is an excellent set of instructions and it helped me a lot. Thanks.

Simon Turner(2014-12-13)

I've gone through this a few times to check I'm going it all right but whatever I do I always receive 'The file type is not recognizable. Select another file' when I try to import it. I'm using a wildcard (i.e. multi-domain) certificate and imagine that this might have something to do with the problem.

dtripp(2014-12-13)

Thanks for the great step by step, it saved me a lot of headache and research!

Paul Apostolos(2014-12-13)

Just what I needed. Moving IIS 6 to new server IIS 7 this was spot on.

Jeanlouc(2014-12-13)

Even after all these years, it's useful. Thanks!

Alberto(2014-12-13)

A very good guide!

Very useful.

Thanks

steve(2014-12-13)

DUDE! you saved my a$$. Thanks for the great article!

Venkatesh(2015-01-29)

Super Thank you Very Much It's very Useful ...

Emanuele Ciriachi(2015-12-12)

Thanks a lot, saved me a lot of time!

Gijs van Dam(2016-06-21)

Guide is still totally valid. Just sued the guide for migrating between two W2012 servers.

Thanks!

UK(2016-12-09)

Helped me, too. Thanks a lot. May the backlinks and visitors flow in like water.

Hayden(2017-04-19)

Great post. That really help me. Thanks.

Avineet(2017-11-01)

If I want to export a Certificate signed by Server 2008 CA and private key separately from the server .How I can do that ?The above procedure is for .pfx (pkfs#12) which contains Private key and certificate as a bundle which I do not want .I want .cer file separate and .key file separate .I know how to export .cer file but do not know how to export private key (.key) file .

Any help would be great ?

Andrew Wharton(2018-10-15)

I would like to know how to do this also. Did you learn how it's done?

Cashew76(2017-11-27)

Private Key Grey'd Out? Gray'd Out? How to reset permissions
1. Open Microsoft Windows Explorer.
2. Locate the %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder for Windows 2003 or %SystemDrive%\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys for Windows 7 and 2008, 2008R2.
3. There are several files located in this folder. Each file in this folder corresponds to a key container. Try to open each with Notepad.
4. If you receive an Access Denied error message when you try to open a file, open the properties of the file, and then take ownership of it. Reassign the Administrator account Full access.
Repeat step 4 for each file in this folder. You should then be able to start the System Attendant service.

3-1-2013(2018-04-06)

Thank you for this great tutorial! Very well step by step.

Anonymous Forever(2019-06-27)

I'm trying to carry out this procedure by exporting the .pfx to a Windows server with apache, but generally I start from the same server, in this case the one with apache generating the csr, this step I have to skip?

SSL Shopper(2019-06-27)

If you are moving a certificate from one Apache server to another, you don't need to create a .pfx. You can just copy the certificate and private key files. See these instructions: https://www.sslshopper.com/...

Anonymous Forever(2019-06-27)

Yes in fact I had chosen the wrong guide, then with the right instructions everything is much easier.
Thanks!!!

eakkawat rodpongsa(2020-01-08)

thank you it work

Apurv Danke(2020-04-09)

We are moving our intranet website from one production server(Server 1) to another(Server 2) as part of product upgrade. Our existing production server is mapped to an internal domain name such as - ABCD.XYZ.COM. Also the existing server has an SSL certificate which is binded in IIS which is issued for ABCD.XYZ.COM. If we check the details section, it has the field "Subject" where we can see CN = ABCD.XYZ.COM
We are planning to shift this SSL certificate to the new Server 2 as part of cutover. We will be exporting the certificate from Server 1. Now the domain name ABCD.XYZ.COM will also be getting mapped to Server 2 instead of Server 1. After this mapping is done, we will stop IIS on Server 1, and import the certificate in Server 2 and bind it in IIS.
Will the above approach work for us?

Advertisement • Hide