UPDATED Dec. 18, 2017
You may not have touched your server’s SSL configuration since you last installed your certificate – potentially a year or more ago. Or maybe you recently acquired some servers. Either way, you may not know where to locate the certificate’s private key.
This post will help you locate your private key—the steps to do so vary by web server OS. We’ll cover the most common operating systems below, but first, let’s explain some basics about private keys.
What is a private key?
All SSL Certificates require a private key to work. The private key is a separate file that’s used in the encryption/decryption of data sent between your server and the connecting clients. A private key is created by you—the certificate owner—when you request your certificate with a Certificate Signing Request (CSR). The Certificate Authority providing your certificate (such as DigiCert) does not create or have your private key.
If you have not yet installed your certificate, then the most likely location of your private key is on the computer or server where you generated the CSR. When you generated that CSR you would have been asked by the server to save two files—for OpenSSL, you can run the command openssl version –a to find the folder where your key files would be saved (/usr/local/ssl by default). On Windows (IIS), the OS manages your CSRs for you. You will first want to complete the request and then export the key (instructions below).
How to Locate Your Private Key
If your certificate is already installed, follow these steps to locate your private key file for these popular operating systems.
Your private key file’s location will be referenced in the main Apache configuration file, which is httpd.conf or apache2.conf. The directive SSLCertificateKeyFile will specify the path on your server where your key is stored.
OpenSSL, the most popular SSL library on Apache, will save private keys to /usr/local/ssl by default. You can run the command openssl version –a to find OPENSSLDIR, and confirm the folder where your server is saving keys.
You will be able to find the private key’s location in your site’s virtual hosts file. Navigate to the server block for that site (by default, within the /var/www/ directory). Open the main configuration file for the site and search for the ssl_certificate_key directive, which will provide the file path for the private key (some users have a separate configuration file for their SSL, such as ssl.conf).
On Windows servers, the OS manages your certificate files for you in a hidden folder, but you can retrieve the private key by exporting a “.pfx” file that contains the certificate(s) and private key.
Open Microsoft Management Console (MMC). In the Console Root expand Certificates (Local Computer). Your server certificate will be located in the Personal or Web Server sub-folder. Locate and right-click the certificate, identified by the Common Name, select Export and follow the guided wizard. This will give you a .pfx file. For detailed, step-by-step instructions, go here.
Depending on what you want to do with the private key, you may need to split the private key into a separate file by converting the .pfx. If you simply want to backup the key or install it onto another Windows server, it’s already in the right format. For use with other platforms, such as Apache, you want to convert the .pfx to separate the .crt/.cer and .key file using OpenSSL.
If you’re unable to find the private key with this method, you can try downloading the DigiCert SSL Utility. This software will allow you to import your certificate and automatically locate your private key if it is on that server.
Where Else Could It Be?
If you followed the steps for your OS and did not find your key, you may just be looking in the wrong place.
If you are working with a server that is providing working HTTPS connections, then the key is somewhere on that server (or accessible to that server), otherwise HTTPS connections would be failing. We can only cover the default scenarios here—it’s possible your organization uses a custom configuration. You can try searching your server for a “.key” file, or going through the steps you would follow to install a new certificate, which should include specifying a private key at some point.
On some platforms, OpenSSL will save the .key file to the same directory from where the –req command was run.
If you have yet to install the certificate and cannot find the key, it’s possible it’s gone. If you created the CSR but cannot locate your key file, the easiest thing to do is reissue your certificate. Start by creating a new CSR—making sure to save the private key to a known location this time—and pair the certificate with that new key. Reissuing is always free with DigiCert.