SSL Cert Export/Import Question

Posted on 2007-07-20
Last Modified: 2013-12-07
Recently had to move our web server to a different box, both old/new were running 2003 standard.  I went into IIS and chose to export the SSL cert as a pfx file and then imported it using IIS on the new box.  When visiting the new box, IE 7 issues no warning but Firefox does issue a warning about the authenticity of the SSL.  Is there anything special I need to do when exporting/importing an SSL cert?
Question by:BendOverIGotYourBack
    LVL 14

    Accepted Solution

    you need to use microsoft management console to do it follow these steps:

    Exporting/Backing up your Certificate/Private Key in IIS (.pfx file format)
    1.) Start > Run
    2.) Type in MMC and click OK
    3.) Go into the File Tab > select Add/Remove Snap-in...
    4.) Click on Add > Double Click on Certificates and click on Add > OK
    5.) Select Computer Account
    6.) Select Local Computer
    7.) Click the + to Expand the Certificates Console Tree
    8.) Look for the Personal directory/folder and expand Certificates.
    9.) Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
    10.) Follow the Certificate Export Wizard to backup your certificate to a .pfx file
    11.) Choose to 'Yes, export the private key'
    12.) Choose to include all certificates in certificate path if possible. (do NOT select the delete Private Key option)
    13.) Leave default settings > Enter Password (if required)
    14.) Choose to save file on a set location
    15.) Finish
    16.) You will receive a message > Export Successful
    17.) The .pfx file backup is now saved in the location you selected.
    18.) If you have a CD-Rom burner we suggest that you backup the pfx file, a copy of the Intermediate Root Certificate (DigiCertCA.crt) & Root Certificate (TrustedRoot.crt) to a CD.
    Importing your Certificate/Private Key in IIS (from .pfx file format)
    1.) Start > Run
    2.) Type in MMC and click GO
    3.) Go into the Console Tab (or File) > select Add/Remove Snap-in
    4.) Click on Add > Double Click on Certificates and click on Add > OK
    5.) Select Computer Account
    6.) Select Local Computer
    7.) Click the + to Expand the Certificates Consol Tree
    8.) Right click on the Personal Certificates Store (folder)
    9.) Choose > ALL TASKS > Import
    10.) Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
    11.) Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.
    12.) In your IIS manager, right-click on the site that you would like to use the certificate and select properties.
    13.) Click on the Directory Security Tab and hit the Server Certificate Button. This will start the server certificate wizard.
    14.) If you are asked what you want to do with the current certificate on the site, choose to remove it, finish the wizard, and click the server certificate button to run the wizard again.
    15.) Choose to 'Assign an existing certificate' to the site and choose the new certificate that you just imported.
    16.) Finish the certificate wizard.
    17.) Restart the server.
    LVL 34

    Expert Comment

    Short answer - no.

    Longer answer - I have seen odd bahavior in the way FireFox handles PKI authentication.  The simple fact that it will let you trust a certiuficate rather than requiring you to trust the issuer is odd in and of itself.

    It does not surprise me to see FireFox throwing an SSL error where IE7 isn't if there is any difference in the server that is actually serving the web pages.  Chances are that the certificate is valid and that FireFox is just acting strange.  If there was actually a problem with the certificate IE would complain as well.

    Dave Dietz
    LVL 14

    Assisted Solution

    you will need to make sure you choose to "include all certificates in certificate path", that may be a problem if you didn't.
    LVL 1

    Assisted Solution

    The problem is that you have a missing sub-CA or intermediate roots. The thing is that IE doesn't check the intermediate roots where FF does.
    LVL 14

    Expert Comment

    yes if you don't select the "include all certificates in certificate path" option, then the intermediate certs will not be imported into the new site and some browsers will break, depending on how their trusted certificate authorities are set up (each browser has its one way of handling trusted certificate authorities).

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
    Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now