Stepwise Guide to Move or Copy an SSL certificate from a Windows Server to another Windows Server
Here’s our step-by-step guide to move or copy an SSL certificate from one Windows server to another
It is very common to use the same SSL certificate for multiple servers, when a load-balancer is utilized to share the load of a website across several different servers. This can be easily managed by following our stepwise guide of moving an SSL certificate from one server to another.
Please note that several certificate authorities would need you to have a server license for each server on which you want to install an SSL certificate, in spite of using the same private key. Also, it is not secure to copy the SSL certificate and use the same private key on another server. Because if attackers attacks either of the server and gets the private key, they will be able to listen in on the connections other servers are making.
Before getting started with the procedure, you need to make sure that you have successfully installed the SSL certificate on the web server. The procedure mainly involves the following principle steps:
- Exporting a working SSL certificate from the MMC console to .pfx file which contains certificates and private keys.
- Import that file in the MMC console of the additional new server.
- Assign and bind the certificate to a website in IIS in order to start using it on the website.
Steps to export the certificate from the Windows MMC console
Start Menu >> Run.
As shown below, type ‘mmc’ and click Ok.
Choose the option ‘Add/Remove Snap-in…’ from ‘File’ menu.
Click on ‘Add’ button and double click on Certificates if you are using Windows Server 2003.
Select ‘Computer Account’ and click on Next to proceed.
Leave Local Computer selected and click on Finish.
If you are using Windows Server 2003, click the ‘Close’ button. Click OK.
Click on the ‘+’ sign next to Certificates in the left pane to expand the menu.
From the expanded menu, click on ‘+’ sign next to ‘Personal folder. Now click on ‘Certificate’ folder. After that Right click on the certificate you wish to export and select ‘All Tasks’. Then click on ‘Export’.
Click on ‘Next’ in the Certificate Export Wizard.
Choose ‘Yes, export the private key’ and click ‘Next’.
Click the checkbox ‘Include all certificates in the certification path if possible’ and click ‘Next’.
After that, enter a password and confirm it. This password will be needed whenever the certificate is imported to another server.
Click ‘Browse’ and save the ‘.pfx’ file to a preferred location. Choose a name such as ‘mydomain.pfx’ and click ‘Next’.
Click ‘Finish’, with this step a ‘.pfx’ file having certificates and private key is saved to the location specified by you.
Procedure to Import the certificate in the Windows MMC console
After you have successfully exported the certificate from the original server, you now, need to copy the .pfx file that was created by you in the new server. Now follow these steps to import the certificate:
From the ‘Start’ menu click on ‘Run’.
Type ‘mmc’ and proceed by clicking ‘OK’.
From the ‘File’ menu, select ‘Add/Remove Snap-in…’
Click on ‘Add’ button and double-click on ‘Certificates’, if you are using Windows Server 2003.
Select ‘Computer account’ from all the options and click ‘Next’.
Leave the option ‘Local computer’ selected.
If you are using Windows Server 2003, you need to click on ‘Close’ button and ‘OK’ to continue.
Now Right-click on the Personal Folder. Then select ‘All Tasks’ and continue by clicking on ‘Import…’
Click ‘Next’ in the Certificate Import Wizard.
Click on ‘Browse’ button. Change the file type from ‘X.509…’ to ‘Personal Exchange’ (*.pfx, *p12). Now find the .pfx file that you copied over and click ‘Open’ and then click on ‘Next’ button.
Enter the password set by you when exporting the .pfx file. Then click on ‘Mark this as exportable’. This way you can export the certificate from this machine and the original as well. Click ‘Next’.
Click ‘Automatically select the certificate store based on the type of certificate’. Then click ‘Next’.
To complete the Wizard click ‘Finish’.
Now click on ‘Refresh’ button in the toolbar and find your certificate in the folder of ‘Certificates’ under ‘Personal’. Double click on it and look for ‘You have a private key that corresponds to this certificate’ at the bottom of the certificate dialog, to verify the correct import of the certificate.
Now close the MMC console and you don’t need to save any changes there.
Steps to Assign the SSL certificate
After you have imported the .pfx file, either you need to assign the certificate to the site in IIS.
Open the Internet Information Services (IIS) Manager, right-click on the website that needs certificate. Then click on ‘Properties’.
Click on ‘Directory Security’ tab. To run the Server Certificate wizard, click on ‘Server Certificate’ button.
In case you already have a certificate on that website, you will need to remove it and then start the wizard again.
Now, click on ‘Assign an existing certificate’. Then click ‘Next’ to continue.
Select the new certificate that you imported. Click ‘Next’.
Click on the ‘Finish’ button. For the certificate to start working on the assigned website, you need to restart the IIS.
With these steps, the procedure of moving an SSL certificate from one server to another can be completed very easily.