Menu

Back Up/Export your SSL Certificate

PART 1 – Export the Private Key and SSL Certificate from Apache as a PKCS12

The assumption is that you have TWO files: the PrivateKey and the Certificate. You would COMBINE both private key and certificate into a single file using the OpenSSL command:

openssl pkcs12 -in a.crt -inkey a.key -export -out a.pfx

where:

  • a.crt = certificate
  • a.key = private key
  • a.pfx = resulting PFX file (containing BOTH the key and cert)

a.pfx is a single file that contains both your private key and certificate file.

PART 2 – Import the PKCS12 into Windows IIS

To import the PFX file into the IIS server:

  1. Click Start, then Run, then type “mmc”
  2. In the MMC click File, then Add / Remove Snap In
  3. Click Add in the dialog box that opens
  4. On the Console, expand the Certificates container, then right click Personal
  5. Select All Tasks, then Import
  6. Point the File Browse at the PFX file and complete the wizard
  7. In IIS go to your site and select Properties, then Directory Security
  8. Click Server Certificate and then Assign an Existing Certificate, select the correct certificate from the available certificates

PART 1 – Exporting from Apache Server

  1. Locate the directory that your certificate and key file are currently stored (by default:/usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/).
  2. Copy the domainname.key and domainname.crt files to removable storage media, or to a network drive.

PART 2 – Importing to Apache Server

    1. Copy the domainname.key and domainname.crt to the Apache server directory in which you plan to store your certificates (by default: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/).
    2. Open the Apache httpd.conf file in a text editor. Locate the SSL associated with your certificate. Verify that you have the following 2 directives within this virtual host. Please add them if they are not present:
      1. SSLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt
      2. SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key

Note that some instances of Apache will store information in a httpd-ssl.conf file. If your httpd.conf contains no information then you will need to locate and amend the httpd-ssl.conf as above.

  1. Save the changes and exit the editor.
  2. Start or Restart your apache web server.

Importing a PFX into Apache with OpenSSL

PART 1 – Convert your PFX into a PEM and extract your certificates

  1. Move your PFX file into your OpenSSL/Bin directory
  2. Open OpenSSL in the command line.
  3. Type in the following command to transform the your PFX file into a PEM file:
      1. pkcs12 -in yourdomain.pfx -out yourdomain.pem

    (The private key will be encrypted, you can remove this by using the following -nodes command as used below)

    1. pkcs12 -nodes -in yourdomain.pfx -out yourdomain.pem
  4. Go to your OpenSSL/Bin directory and locate the yourdomain.pem file and open it in a text editor (Notepad).
  5. This PEM file contains your Private Key, your SSL certificate, your Intermediate certificate, your Cross certificate and your GlobalSign Root certificate in that order. Each of these certificates must be copied and pasted into their own file.
  6. Locate the Private Key, which includes and is defined by the text ‘-----BEGIN RSA PRIVATE KEY----- …. certificate contents …. -----END RSA PRIVATE KEY-----, copy the Private Key, open a new text editor, paste the Prvate Key into the text editor and Save AS yourdomain.key.
  7. Locate the SSL certificate, which includes -----BEGIN CERTIFICATE----- …. certificate contents …. -----END CERTIFICATE-----, copy the SSL certificate, open a new text editor, paste the SSL certificate into the text editor and Save AS yourdomain.crt.
    1. If you are a DomainSSL certificate customer go to http://www.globalsign.com/support/domain_bundle.html, copy the certificates from the box, open a new text editor in your OpenSSL/Bin directory and paste the certificates you have just copied into the text editor and Save As certificates.cabundle.
    2. If you are an OrganizationSSL certificate customer go tohttp://www.globalsign.com/support/organization_bundle.html, copy the certificates from the box, open a new text editor in your OpenSSL/Bin directory and paste the certificates you have just copied into the text editor and Save As certificates.cabundle.
    3. If you are an ExtendedSSL certificate customer go to http://www.globalsign.com/support/extended_bundle.html, copy the certificates from the box, open a new text editor in your OpenSSL/Bin directory and paste the certificates you have just copied into the text editor and Save As certificates.cabundle.

PART 2 – Assign the correct directives to your Config file

When you have made the changes detailed in PART 1, you will then need to assign the correct directives to your Config file. You may find these in your httpd.conf file or in the ssl.conf file.

  1. Open your httpd.conf file and search for the section for the site for which the SSL certificate will secure (If you cannot locate the section in your httpd.conf file, open your httpd-ssl.conf file and search for the section).
  2. Your section will need to contain the following directives:-
    1. SSLCertificateChainFile – this will need to point to the certificates.cabundle, so after the directive name enter the path and file name and remove the &hash; from the beginning of the line.
    2. SSLCertificateFile – this will need to point to yourdomain.crt so after the directive name enter the path and file name and remove the &hash; from the beginning of the line.
    3. SSLCertificateKeyFile – this will need to point to yourdomain.key so after the directive name enter the path and file name and remove the &hash; from the beginning of the line.
  3. Save the changes and close the text editor.
  4. Restart Apache.
Facebook Comments