Last updated: November 2020
Although validity periods on certificates have shortened, most IT professionals don’t frequently touch their TLS/SSL configuration daily. Many touch their key material once a year or so — whenever they need to change certificates. Sometimes tracking and managing these certificates and corresponding key material can be difficult, leading to time spent hunting down the path where these items reside. This post will help you locate your private key; the steps to do so vary by web server OS. We’ll cover the most common operating systems below, but first, let’s explain some basics about private keys.
All TLS certificates require a private key to work. The private key is a separate file that’s used in the encryption/decryption of data sent between your server and the connecting clients. A private key is created by you — the certificate owner — when you request your certificate with a Certificate Signing Request (CSR). The certificate authority (CA) providing your certificate (such as DigiCert) does not create or have your private key. In fact, no one outside of your administrators should ever be given access to this material. We’ve seen an increase in instances where CAs have had to revoke certificates because admins have posted the keys to an online repository, like GitHub. Even if you don’t believe the site is transacting sensitive information, any exposure of the private key requires revocation of all corresponding certificates. If you have not yet installed your certificate, then the most likely location of your private key is on the computer or server where you generated the key pair and CSR. When you generated the key pair, you saved two files: one that contains the public key and one that contains the private key. For OpenSSL, you can run the command openssl version –a to find the folder where your key files would be saved (/usr/local/ssl by default). On Windows (IIS), the OS manages your CSRs for you. You will first want to complete the request and then export the key (instructions below).
If your certificate is already installed, follow these steps to locate your private key file for these popular operating systems.
Your private key file’s location will be referenced in the main Apache configuration file, which is httpd.conf or apache2. conf. The directive SSLCertificateKeyFile will specify the path on your server where your key is stored. OpenSSL, the most popular SSL library on Apache, will save private keys to /usr/local/ssl by default. You can run the command openssl version –a to find OPENSSLDIR, and confirm the folder where your server is saving keys.
You will be able to find the private key’s location in your site’s virtual host file. Navigate to the server block for that site (by default, within the /var/www/ directory). Open the main configuration file for the site and search for the ssl_certificate_key directive, which will provide the file path for the private key (some users have a separate configuration file for their SSL, such as ssl.conf).
On Windows servers, the OS manages your certificate files for you in a hidden folder, but you can retrieve the private key by exporting a “.pfx” file that contains the certificate(s) and private key. Open Microsoft Management Console (MMC). In the Console Root expand Certificates (Local Computer). Your server certificate will be located in the Personal or Web Server sub-folder. Locate and right-click the certificate, identified by the Common Name, select Export and follow the guided wizard. This will give you a .pfx file. For detailed, step-by-step instructions, go here. Depending on what you want to do with the private key, you may need to split the private key into a separate file by converting the .pfx. If you simply want to back up the key or install it onto another Windows server, it’s already in the right format. For use with other platforms, such as Apache, you want to convert the .pfx to separate the .crt/.cer and .key file using OpenSSL. If you’re unable to find the private key with this method, you can try downloading the DigiCert SSL Utility. This software will allow you to import your certificate and automatically locate your private key if it is on that server. Note that this is on-prem software that does not share information about the key material back to DigiCert. DigiCert never obtains private key material for TLS certificates and escrowing TLS keys by the CA (which sometimes happens with document signing and S/MIME certificates) is strictly prohibited by root store policy.
If you followed the steps for your OS and did not find your key, you may just be looking in the wrong place. If you are working with a server that is providing working HTTPS connections, then the key is somewhere on that server (or accessible to that server), otherwise HTTPS connections would be failing. We can only cover the default scenarios here — it’s possible your organization uses a custom configuration. You can try searching your server for a “.key” file or going through the steps you would follow to install a new certificate, which should include specifying a private key at some point. On some platforms, OpenSSL will save the .key file to the same directory from where the –req command was run. If you have yet to install the certificate and cannot find the key, it’s possible it’s gone. If you created the CSR but cannot locate your key file, the easiest thing to do is reissue your certificate. Start by creating a new CSR — making sure to save the private key to a known location this time — and pair the certificate with that new key. Reissuing is always free with DigiCert. Although knowing where and how you protect key material is critical for security, we highly recommend you generate a new key pair each time a new certificate is ordered. Reusing key material is a frowned-upon practice that can result in widespread issues if a key is compromised and result in a poor security framework as new threats are discovered. Generating key material and CSRs is easier than ever and DigiCert supports frequent key rollovers to help companies adopt good security hygiene.