Exporting Your SSL Certificate from a Microsoft Server for Importing to Another Microsoft Server
Background
Windows servers use .pfx files that contain the public key file (SSL certificate file) and the associated private key file. DigiCert provides your SSL certificate file (public key file). You use your server to generate the associated private key file as part of the CSR.
You need both the public and private keys for an SSL certificate to function. So, if you need to transfer your SSL certificates from one server to another, you need to export is as a .pfx file.
Export Prerequisite
Back Up Private Key. To backup a private key on Microsoft IIS 6.0 follow these instructions: 1. From your server, go to Start Run and enter mmc in the text box. The private key is generated simultaneously with the CSR (certificate signing request), containing the domain name, public key and additional contact information. The CSR is to be sent to the certificate authority for validation and signing immediately after the certificate activation in. As a work around you can generate your own CSR and submit the self generated CSR to the CA in a CSR field they provide. The Digicert Certificate Utility for Code Signing has the ability to generate a CSR on the Windows system where the Utility is installed on. Bypassing any issues with CSR.
DigiCert provides your SSL certificate file (public key file). You use your server to generate the associated private key file as part of the CSR. You need both the public and private keys for an SSL certificate. In order to prevent the situation when you loose your CSR code and Private Key, we automatically send the CSR code and the Private Key to the email which you provided when using the CSR Generator from above. Please check your email, so as we always send a message from SSL Dragon (email protected) where we include your CSR code and Private Key.
To create a .pfx file, the SSL certificate and its corresponding private key must be on the same computer/workstation. You may need to import the certificate to the computer that has the associated private key stored on it. (e.g., the laptop/desktop computer where you created the CSR) before you can successfully export it as a .pfx file.
For help importing the certificate, see SSL Certificate Importing Instructions: DigiCert Certificate Utility.
How to Export Your SSL Certificate w/Private Key Using the DigiCert Certificate Utility
These instructions explain how to export an installed SSL certificate from a Microsoft server and its corresponding private key as a .pfx file for importing to another server. If you need your SSL Certificate in Apache .key format, please see Export a Windows SSL Certificate to an Apache Server (PEM Format).
On your Windows Server, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).
Run the DigiCert® Certificate Utility for Windows (double-click DigiCertUtil).
In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the certificate that you want to export as a .pfx file, and then click Export Certificate.
In the Certificate Export wizard, select Yes, export the private key, select pfx file, and then check Include all certificates in the certification path if possible, and finally, click Next.
A .pfx file uses the same format as a .p12 or PKCS12 file.
Note: If the Yes, export the private key option is grayed out (not unusable), the certificate's matching private key is not on that computer. This prevents you from being able to create the .pfx certificate file. To fix this problem, you will need to import the certificate to the same machine where the certificate's CSR was created. See Export Prerequisite.
In the Password and Confirm Password boxes, enter and confirm your password, and then, click Next.
Note: This password is used when you import this SSL certificate onto other Windows type servers or other servers or devices that accept a .pfx file.
In the File name box, click … to browse for and select the location and file name where you want to save the .pfx file, provide a file name (i.e. mySSLCertificate), click Save, and then, click Finish.
After you receive the 'Your certificate and key have been successfully exported' message, click OK.
Import PFX Certificate into Microsoft Windows Server and Configure it
To import your certificate to your server using the DigiCert Certificate Utility, you need to follow the instructions for that particular server type:
| IIS 10 | Exchange 2013 |
| IIS 8 | Exchange 2010 |
| IIS 7 | Exchange 2007 |
| IIS 6 |
Troubleshooting
After importing your certificate on to the new server, if you run into certificate errors, try repairing your certificate trust errors using DigiCert® Certificate Utility for Windows. If this does not fix the errors, contact support.
Test Your Installation
To verify that the installation is correct, use our DigiCert® SSL Installation Diagnostics Tool and enter the DNS name of the site (e.g., www.yourdomain.com, or mail.yourdomain.com) that you are securing to test your SSL certificate.
SSL Certificate Not Installed or Doesn't Have a Private Key
If you installed your SSL Certificate on your server, but the certificate doesn't have a private key associated with it, you can use the DigiCert® Certificate Utility for Windows to repair your certificate installation and make sure it's installed correctly for use in IIS, Exchange and other Windows server types.
This problem usually occurs when you install an SSL Certificate through the MMC Console to a Pending Request that was created elsewhere. You can use the DigiCert Utility to fix this problem, but only if the private key is on the server, and the server just doesn't have the private key and certificate associated together.
How to Pair Your SSL Certificate with Its Private Key
Check Status of Your SSL Certificate
On the Windows server where your SSL Certificate is located, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe) to the same directory/folder as the certificate.
Note: For this instruction, it is necessary for the certificate and utility to be located in the same directory/folder or else some of the steps may not work.
Run the DigiCert® Certificate Utility for Windows (double-click DigiCertUtil).
In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), check to see if there is a Caution Sign next to your certificate.
If you see a Caution Sign, select your SSL Certificate and read the warning message describing the issue.
'The Certificate Needs to Be Installed' Message
Although your SSL Certificate was copied to your server, it wasn't installed. To fix this problem, simply install your certificate to try to pair it with its private key.
In the DigiCert Certificate Utility for Windows©, select your SSL Certificate and click Install Certificate.
After your certificate is installed, check the certificates status again.
If the Caution Sign is gone, close the utility and then configure the server to use the certificate for your website, to secure email connections, etc.
See Assign & Configure Server Software to Use the SSL Certificate. If you cannot find instructions for your platform on that page, see SSL Certificate Installation Instructions & Tutorials.
'This Certificate’s Chain Is Not Installed Correctly' Message
Please see DigiCert Certificate Utility: Repair Intermediate SSL Certificate Errors.
'This Certificate Needs to Be Attached to Its Private Key' Message
The certificate is installed on your server, but it's not paired with its private key. To try to fix this problem, use the utility to repair the certificate.
In the DigiCert Certificate Utility for Windows©, select your SSL Certificate and click Repair Certificate.
When you receive the 'Would you like to scan your computer for this certificate's private key and attach to it' message, click Yes.
If you receive the 'This certificate has been successfully repaired.' message, click OK and close the utility.
Congratulations, you have matched your certificate with its private key. You have successfully installed your SSL Certificate.
Note: If you received 'The private key for this certificate could not be found in the machine or current user key stores,' error, continue to the next section.
'The private key for this certificate could not be found in the machine or current user key stores' Error Message
If you received this error message, the private key for your SSL Certificate is not on this server. Most likely, the CSR for your certificate was created on a different server.
Digicert Csr Private Key
To fix this problem, do the following:
Create a CSR
On your server where you are trying to install the certificate, create a new CSR.
See CSR Creation Instructions for Microsoft Servers. If you prefer not to use the DigiCert Certificate Utility, see Create a CSR (Certificate Signing Request).
Reissue Your SSL Certificate
After you create your new CSR, log into your DigiCert account and reissue the certificate.
See Reissuing a DigiCert® SSL Certificate.
Install Your Reissued Certificate
Install the rekeyed/reissued certificate on your server where you created the CSR.
See SSL Certificate Importing Instructions: DigiCert Certificate Utility. If you prefer not to use the DigiCert Utility, see SSL Certificate Installation Instructions & Tutorials.
Assign and Configure Server to Use Reissued Certificate
Then, reconfigure the server to use the certificate for your website, to secure email connections, etc.
See Assign & Configure Server Software to Use the SSL Certificate. If you cannot find instructions for your platform on that page, see SSL Certificate Installation Instructions & Tutorials.