February 2014

Gavin Pickin

Moving SSL certs from IIS on Windows to Apache on Centos

Apache, OpenSSL, Server Admin

We're migrating a series of Windows Servers to Centos, and in doing so, there are a number of SSL Certificates that need to be migrated too. Going through the whole process of creating new Requests invalidates the old SSL, so it can be a tricky transfer process, and in migrations, you want to try and streamline them as much as possible, so we wanted to export our SSL Certs ahead of time, import them and be prepared. To see how to export SSL Certs from IIS 6 to a .pxf here, I will add a few other walkthroughs for other versions as I complete them.

Now we have exported the file to .pfx, we can move the .pfx to our server. Once you download the file (ensure its Binary so the FTP applications do not mess with your line returns) onto your Centos / Linux box, we need to perform a few commands with openssl to take the secure locked pfx file, and extract our key and cert file to include in our Apache Vhost Configuration.

First, we're going to extract the key, and the first step is extracting a password encoded pem file. When you run this command, it will ask you for the password you used to create the .pfx file. Then it will ask you for a PEM pass phrase. You must enter one, or this command will not work successfully.

$ openssl pkcs12 -in www.goodbyeticket.com_cert.pfx -nocerts -out key.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:


Next, we need to extract the key and remove the passphrase itself. If you did not enter a passphrase, this will give you an error like the following.

unable to load Private Key
140622736611144:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY


Assuming you followed instructions, you should be able to run the following command, reading in the key.pem file we created in the last command (keep that name the same, its short, and its only an intermediate file) and then the -out file is the file you intend to use, so name it however you see fit, for me, I like to keep the year registered, period, the common name or url of the cert, and then .key of course, because this is a key. It will ask you for the passphrase, so enter that when prompted.

$openssl rsa -in key.pem -out
Enter pass phrase for key.pem:
writing RSA key


If you cat the file, you will see the key is complete, it has no passphrase, no encryption, its a standard key.

Next we need to get the cert file out of the .pfx file. This is a 1 step process, just enter the command below.

-in is the .pfx you downloaded, and the -out is the name of the cert. I like to match my file names, with the suffix or extension to match the type, .key for keys, and .cert for certs, simple.

$openssl pkcs12 -in www.goodbyeticket.com_cert.pfx -clcerts -nokeys -out
Enter Import Password:
MAC verified OK


Now, this file does have some other STUFF in the cert file. Simply edit the file, and remove everything above the begin certificate line.


Now, your files are ready to use in your apache configuration.
I got over that in more depth, as well as how to check your SSL is valid and the Chain is intact in this post here


Hope this helps, I know I'll be looking it up next time I have to do this.


Blog Search