December 2010
« Nov   Jan »

Migrating SSL certificates IIS to Apache and vice versa

I’m going to migrate one windows server running on some php sites which using ssl certificates to WHM/cpanel installed linux server. During the time I need to be site alive during the migration time ( Zero downtime).

For this,

A, I have enabled database remote access from the older server to new hosting network to use same database while nameservers are updating over the internet.
B. I have used the same certificate installed on both servers. ie I export the IIS installed certificate and separate the private key and certificate from it.

Exporting SSL certificate from IIS using export utility.
a, Right click on ” my computer” and select manage
b. Expand IIS manager and choose the site where SSL certificates has installed.
c. Right click on the site and choose “properties” and then select ” security” tab. Then click on “edit” button.
d. You may get the windows same like as listed below,

Type the file name to save the .pfx file

Next we need to protect the exported file being manipulated by other ssl tools. Set the passphase value.

Now we have the .pfx export file. Now we need to copy it to any linux desktop to extract the cert and key file.

Export the private key file from the pfx file

#openssl pkcs12 -in mydomain.pfx -nocerts -out private-key.pem

Export the certificate file from the pfx file

#openssl pkcs12 -in mydomain.pfx -clcerts -nokeys -out domain-cert.pem

This will help you to remove the passphase from being asked during the Apache restart each time.

#openssl rsa -in key.pem -out server.key

Pls note that each command execution will ask you to enter passphase to process the request.

Installing certificate on Cpanel server. login to WHM using the root account. Go to SSL/TLS–> install a ssl certificate and setup a Domain.

Then open both the domain-cert.pem and server.key file in notepad and copy the content in to respective window shown on the WHM as follows,

You may also request to fill out the GD bundle certificate if you have provided from CA. I uses Goddady ssl and can be downloaded it from their sites.

2, create pfx file from crt and key

If you have a requirement of converting crt file to .pfx format which can be recognised on IIS server,use the following command

openssl pkcs12 -export -out -inkey -in -certfile CA_bundle.crt

[root@BANK-qa01 ssl]# openssl pkcs12 -export -out -inkey -in -certfile gd_bundle.crt
Enter Export Password:
Verifying - Enter Export Password:
[root@BANK-qa01 ssl]# ls  gd_bundle.crt
[root@BANK-qa01 ssl]#

That’s it.


Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>