Ask a Question

General Information ID : INFO782

Managed PKI for SSL - Export (or Backup) a Certificate


 When a certificate is Exported (backed up), the system copies the private key into an encrypted file.  The private key was created on the server when the Certificate Signing Request (CSR) was generated.  Select the correct software vendor and version below for backup instructions.
IMPORTANT!   Symantec highly recommends that you save the exported file to an external source and store it in a safe place


Microsoft IIS Version 5.0, 6.0, 7.0 & 8
Step 1:  Create a Microsoft Management Console (MMC) Snap-in for managing certificates
Step 2:  Export the certificate
1.  Open the Certificates (Local Computer) snap-in you added, and select Personal > Certificates.

2.  The Subject field of the certificate lists the Common Name (CN). (Click Tools > Internet Options > Content to view the Common Name if you are not sure).

3.  Right-click on the desired certificate and select All Tasks > Export. The Certificate Export Wizard opens.
4.  Select Yes, export the private key.

5.  Click Next.

6.  In the Export File Format window, ensure the option for Personal Information Exchange  - PKCS#12 (.pfx) is selected.

7.  Select Include all certificates in the certificate path if possible and then click Next. (If 'Include all certificates in the certificate path' option is not selected, the server may not recognize the issuer of the certificate, which may result in security warnings for clients. 

8.  De-select Require Strong Encryption. (This may cause a password prompt every time an application attempts to access the private key, or it may cause IIS to fail).

9.  Click Next.

10.  Enter and confirm a password to protect the PFX file and click Next.

11.  Choose a file name and location for the export file (do not include an extension in the file name; the wizard automatically adds the PFX extension).

12.  Click Next.

13.  Read the summary and verify that the information is correct.  Pay special attention to where you saved the file. Ensure that the information is correct.

14.  Click Finish.
1.  Locate the private key and certificate files.  The following directives in the httpd.conf point to the location of the key and certificate files:
SSLCertificateFile ... /path/to/mycertfile.crt 

SSLCACertificateFile … /path/to/intermediate.crt

SSLCertificateKeyFile ... /path/to/mykeyfile.key
2.  Make a copy of the: .key file, both .crt files (the server certificate and intermediate CA certificate), and the httpd.conf file.
<filename>.key – private key

<filename>.crt – server certificate

<filename>.crt – intermediate CA certificate(s)

httpd.conf - Web server configuration file
iPlanet Version 4.0 and 6.0
1.  Locate the alias directory within the iPlanet directory

2.  Locate the files: https < server_name > cert7.db and https <server_name> key3.db.

3.  Copy the files.
IBM Websphere Server
1.  Type ikeyman on a command line on UNIX or start the Key Management utility in the IBM Websphere Server folder.

2.  Select Key Database File from the main menu, and then select Open.

3.  In the Open dialog box, type the key database name or click the key.kdb file if you are using the default.  Click OK.

4.  In the Password Prompt dialog box, type your password, and click OK.

5.  Select Personal Certificates in the Key Database content frame, and then click the Export/Import button on the label.

6.  In the Export/Import Key window, select Export Key.

7.  Select the key database file type.

8.  Type the file name or browse and select the location and file name, and then click OK.

9.  In the Password Prompt dialog box, type the password, and then click OK.

10.  In the Select from Key Label list, select the correct label name and click OK.
1.  Navigate to the SSL Directory where the SSL Keystore is kept.  By default this can be a hidden directory.  For example: /root/.keystore

2.  Make a copy of the keystore file in this directory.  This contains the Private and Public keys.  This file can be imported to servers.  If needed the file extension can be renamed to .p12 or .pfx.