Importing an IIS .pfx File into Apache or Other Non-Windows Server

Moving an SSL Certificate from one Apache server to another is as simple as copying your private key, server certificate, and intermediate certificate files to the new server and then modifying your Apache configuration file to use the certificates.

However, it is also possible to move certificates from Windows servers to Apache (and other non-Windows servers) by manipulating the certificate files using OpenSSL. This page explains how to move certificate .pfx files from a Windows server to a non-Windows server.

Most servers use plaintext certificate files. The certificate files that you downloaded from DigiCert were already in this format. However, to get the private key from your Windows IIS server, you must extract the private key from a Windows .pfx backup certificate. To do this, complete the following steps.

  1. First, back up your IIS server certificates to a .pfx file using the following OpenSSL command: openssl pkcs12 -export -out DigiCertBackup.pfx -inkey your_private_key_file.txt -in your_domain_name.crt -certfile DigiCertCA.crt This will combine your primary certificate, intermediate (CA) certificate, and your private key file into a .pfx backup file.
  2. Use the following OpenSSL command to create a separate text file with the private key:

    openssl pkcs12 -in mypfxfile.pfx -out outputfile.txt -nodes

    Note: Change mypfxfile.pfx to your IIS server certificates backup.
  3. The previous step will create a text file named outputfile.txt. Open this file with a text editor and you will see the private key listed first:

    -----BEGIN RSA PRIVATE KEY-----
    (Block of Random Text)
    -----END RSA PRIVATE KEY-----

  4. Copy and paste all of this text including the BEGIN and END tags to a new text file. Save this text file as your_domain_name.key.
  5. Use the DigiCert Certificate Installation Instructions to install the certificates on your new server.