Website certificate import and Email certificate import
- Website certificate import and Email certificate import
- 1. Exporting Windows certificate
- 2. Convert Windows certificate to Linux certificate
- 3.Assign SSL certificate to Linux webserver
- 4. Assign SSL certificate to Linux mail server
1. Exporting Windows certificate
Move or copy an SSL certificate from a Windows server to an Nginx server
If you have multiple servers that need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard or UC SSL certificates, you can export the certificate from the Windows certificate store to .pfx file and then convert the file to individual certificate and private key files and use it on an Nginx server. This may also be necessary when you switch hosting companies. We will be going over the exact process with step-by-step instructions in this article. If necessary, you can copy the SSL certificate from an Nginx server to a Windows server instead.
We will assume that you have already successfully installed the SSL certificate on the Windows web server. You will follow these steps to move or copy that working certificate to the Nginx server:
Export the SSL certificate from the Windows server with the private key and any intermediate certificates into a .pfx file.
Convert the .pfx file to individual certificates and private keys.
Import the SSL certificates and private key on the new server.
Configure your Nginx web sites to use the certificate.
The following screenshots are from a Windows Server 2008 machine but the instructions will also work for older (Windows Server 2003) and newer versions (Windows Server 2016).
Export the certificate from the Windows MMC console
Note: These instructions will have you export the certificate using the MMC console. If you have Windows Server 2008 or higher (IIS7 or higher) you can also import and export certificates directly in the Server Certificates section in IIS.
Click on the Start menu and click Run.
Type in mmc and click OK.
Click on the File menu and click Add/Remove Snap-in...
If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.
Click on Computer Account and click Next.
Leave Local Computer selected and click Finish.
If you are using Windows Server 2003, click the Close button. Click OK.
Click the plus sign next to Certificates in the left pane.
Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export...
In the Certificate Export Wizard click Next.
Choose "Yes, export the private key" and click Next.
Click the checkbox next to "Include all certificates in the certification path if possible" and click Next.
Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.
Click Browse and find a location to save the .pfx file to. Type in a name such as "mydomain.pfx" and then click Next.
Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.
2. Convert Windows certificate to Linux certificate
Convert the .pfx file using OpenSSL
After you have exported the certificate from the Windows server you will need to extract all the individual certificates and private key from the .pfx file using OpenSSL (instead of using OpenSSL, you can use the SSL Converter to convert the .pfx file to a .pem file and then follow step 3.
1.Copy the .pfx file to the server or another computer that has OpenSSL installed.
2.Run this OpenSSL command to create a text file with the contents of the .pfx file:
openssl pkcs12 -in mydomain.pfx -out mydomain.txt -nodes
3.Open the mydomain.txt file that the command created in a text editor. Copy each certificate/private key to its own text file including the
bash"-----BEGIN RSA PRIVATE KEY-----" and
bash"-----BEGIN CERTIFICATE-----" headers. Save them with names such as mydomain.key, mydomain.crt, intermediateCA.crt, etc.
3.Assign SSL certificate to Linux webserver
Assigning the SSL certificate to a website
After you have converted the .pfx file, you will need to copy the newly created files to the Nginx server and edit your Nginx configuration file to use them. Just follow our Nginx SSL Installation instructions to do this.
Nginx SSL Installation instructions:
Edit the nginx configuration file:
A sample of the file is :
Save the configuration file and restart the service to apply modifications.
To restart Nginx service use :
systemctl restart nginx.service
While there are several steps in the process, moving an SSL certificate from one Windows server to an Nginx server is quite simple. It involves exporting a working SSL certificate from the MMC console to a .pfx file which contains the certificates and private key and then converting that file to separate files. You can then copy the files to the Nginx server and install the certificate like normal. If you need to move your SSL certificate to or from a different type of server, select the server type on our main SSL Certificate Import/Export Page
4. Assign SSL certificate to Linux mail server
4.1. Import a certificate from a pfx file e.g. exported from a Windows server
root@me:~# openssl pkcs12 -in ExportWithPrivate.pfx -clcerts -nokeys -out mydomain.crt
IMPORTANT - These files are to be kept SECRET.
root@me:~# openssl pkcs12 -in ExportWithPrivate.pfx -out servername.pem
root@me:~# openssl rsa -in servername.pem -out exim.key
Now concatenate the certificates:
root@me:~# cat mydomain.crt /etc/ssl/certs/ca-certificates.crt > exim.crt
Copy the files
IMPORTANT: Backup the files to a secure location and delete the remaining files.
4.2. Update Exim configuration files
For split-file configuration (debian only), edit the file /etc/exim4/conf.d/main/03_exim4-config_tlsoptions and uncomment:
#log_selector = +tls_cipher +tls_peerdn
#tls_advertise_hosts = *
#tls_certificate = CONFDIR/exim.crt
#tls_privatekey = CONFDIR/exim.key
Then, activate the exim4 changes by:
Change the file security so that only exim can read them (if you are running as exim):
root@myserver:~# chmod 600 exim.*
root@myserver:~# chown exim exim.*
In either case you need to restart exim:-
systemctl restart exim4.service