To move a SSL certificate from Microsoft IIS 7.0 to Apache, the certificate must be converted from a PKCS#12 (.p12 or .pfx) to two separate files (private and public key).
Step 1: Export certificate in IIS 7
- From the web server, click Start
- In the Search programs and files field, type mmc
- From the Programs list, click mmc.exe
- At the permission prompt, click Yes
- From the Microsoft Management Console (MMC), click File > Add/Remove Snap-in
- From the list of snap-ins, select Certificates
- Click Add
- Select Computer account
- Click Next
- Select Local computer (the computer this console is running on)
- Click Finish
- In the Add/Remove Snap-in window, click OK
- Save these console settings for future use
- Double click on Certificates (Local Computer) in the center window.
- Double click on the Personal folder, and then on Certificates.
- Right Click on the Certificate you would like to backup and choose > All Tasks > Export
- Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
- Choose to 'Yes, export the private key'
- Choose to "Include all certificates in certificate path if possible." (do NOT select the delete Private Key option)
- Enter a password you will remember
- Choose to save file on a set location
- Click Finish
- You will receive a message > "The export was successful." > Click OK
- The .pfx file backup is now saved in the location you selected.
Step 2: Convert PFX file to compatible files for Apache
Move the .pfx file to the Apache server.
To extract the private key, run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -nocerts -out key.pem
To extract the certificate (public key), run the OpenSSL command:
openssl pkcs12 -in <filename>.pfx -clcerts -nokeys -out cert.pem
Step 3: Install SSL certificate for Apache
For installation instructions, refer to RapidSSL knowledge base article: SO6252
If these steps are unsuccessful, and you are not able to export your SSL certificate from IIS 7 to Apache, you will need to create a new CSR and reissue your certificate. Please see the instructions on solution: SO5757
If you do not want to include a passphrase you can use the following command:
openssl rsa -in key.pem -out server.key