Skip to content

Website certificate import and Email certificate import


Introduction

1. Exporting Windows certificate

Move or copy an SSL certificate from a Windows server to an Nginx server

If you have multiple servers that need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard or UC SSL certificates, you can export the certificate from the Windows certificate store to .pfx file and then convert the file to individual certificate and private key files and use it on an Nginx server. This may also be necessary when you switch hosting companies. We will be going over the exact process with step-by-step instructions in this article. If necessary, you can copy the SSL certificate from an Nginx server to a Windows server instead.

We will assume that you have already successfully installed the SSL certificate on the Windows web server. You will follow these steps to move or copy that working certificate to the Nginx server:

Export the SSL certificate from the Windows server with the private key and any intermediate certificates into a .pfx file.

Convert the .pfx file to individual certificates and private keys.

Import the SSL certificates and private key on the new server.

Configure your Nginx web sites to use the certificate.

The following screenshots are from a Windows Server 2008 machine but the instructions will also work for older (Windows Server 2003) and newer versions (Windows Server 2016).

Export the certificate from the Windows MMC console

Note: These instructions will have you export the certificate using the MMC console. If you have Windows Server 2008 or higher (IIS7 or higher) you can also import and export certificates directly in the Server Certificates section in IIS.

Click on the Start menu and click Run.

Type in mmc and click OK.

Alt text

Click on the File menu and click Add/Remove Snap-in...

Alt text

If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.

Alt text

Click on Computer Account and click Next.

Alt text

Leave Local Computer selected and click Finish.

Alt text

If you are using Windows Server 2003, click the Close button. Click OK.

Alt text

Click the plus sign next to Certificates in the left pane.

Alt text

Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export...

Alt text

In the Certificate Export Wizard click Next.

Alt text

Choose "Yes, export the private key" and click Next.

Alt text

Click the checkbox next to "Include all certificates in the certification path if possible" and click Next.

Alt text

Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.

Alt text

Click Browse and find a location to save the .pfx file to. Type in a name such as "mydomain.pfx" and then click Next.

Alt text

Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.

Alt text

2. Convert Windows certificate to Linux certificate

Convert the .pfx file using OpenSSL

After you have exported the certificate from the Windows server you will need to extract all the individual certificates and private key from the .pfx file using OpenSSL (instead of using OpenSSL, you can use the SSL Converter to convert the .pfx file to a .pem file and then follow step 3.

1.Copy the .pfx file to the server or another computer that has OpenSSL installed.

2.Run this OpenSSL command to create a text file with the contents of the .pfx file:

openssl pkcs12 -in mydomain.pfx -out mydomain.txt -nodes

3.Open the mydomain.txt file that the command created in a text editor. Copy each certificate/private key to its own text file including the bash"-----BEGIN RSA PRIVATE KEY-----" and bash"-----BEGIN CERTIFICATE-----" headers. Save them with names such as mydomain.key, mydomain.crt, intermediateCA.crt, etc.

3.Assign SSL certificate to Linux webserver

Assigning the SSL certificate to a website

After you have converted the .pfx file, you will need to copy the newly created files to the Nginx server and edit your Nginx configuration file to use them. Just follow our Nginx SSL Installation instructions to do this.

Nginx SSL Installation instructions:

Edit the nginx configuration file:

nano /etc/nginx/sites-enabled/custom

Alt text

A sample of the file is :

server {
    listen               443;
    ssl                  on;
    ** ssl_certificate      /etc/ssl/certs/myssl.crt; **
    ** ssl_certificate_key  /etc/ssl/private/myssl.key; **
    server_name me.com;
        root /var/opt/cyberquest/reports/app/webroot;
        index index.php index.html index.htm;
location / {
        try_files $uri $uri/ /index.php?$args;
    }
 ```

![Alt text](./images/import_ssl_certificates/16.png)

In order to include the recently exported certificate replace the path of the default certificate and key:

```javascript
   ** ssl_certificate      /etc/ssl/certs/ mydomain.crt; **
   ** ssl_certificate_key  /etc/ssl/private/ mydomain.key; **

Save the configuration file and restart the service to apply modifications.

Alt text

To restart Nginx service use :

systemctl restart nginx.service

Alt text

While there are several steps in the process, moving an SSL certificate from one Windows server to an Nginx server is quite simple. It involves exporting a working SSL certificate from the MMC console to a .pfx file which contains the certificates and private key and then converting that file to separate files. You can then copy the files to the Nginx server and install the certificate like normal. If you need to move your SSL certificate to or from a different type of server, select the server type on our main SSL Certificate Import/Export Page

4. Assign SSL certificate to Linux mail server

4.1. Import a certificate from a pfx file e.g. exported from a Windows server

root@me:~# openssl pkcs12 -in ExportWithPrivate.pfx -clcerts -nokeys -out mydomain.crt IMPORTANT - These files are to be kept SECRET.

root@me:~# openssl pkcs12 -in ExportWithPrivate.pfx -out servername.pem root@me:~# openssl rsa -in servername.pem -out exim.key

Now concatenate the certificates: root@me:~# cat mydomain.crt /etc/ssl/certs/ca-certificates.crt > exim.crt Copy the files exim.key and exim.crt to /etc/exim IMPORTANT: Backup the files to a secure location and delete the remaining files.

4.2. Update Exim configuration files

For split-file configuration (debian only), edit the file /etc/exim4/conf.d/main/03_exim4-config_tlsoptions and uncomment: #log_selector = +tls_cipher +tls_peerdn #tls_advertise_hosts = * #tls_certificate = CONFDIR/exim.crt #tls_privatekey = CONFDIR/exim.key

Then, activate the exim4 changes by: update-exim4.conf

Change the file security so that only exim can read them (if you are running as exim):

root@myserver:~# chmod 600 exim.* root@myserver:~# chown exim exim.*

In either case you need to restart exim:- systemctl restart exim4.service

https://github.com/Exim/exim/wiki/_preview