SSL Cert Export/Import Question

Posted on 2007-07-20
Medium Priority
Last Modified: 2013-12-07
Recently had to move our web server to a different box, both old/new were running 2003 standard.  I went into IIS and chose to export the SSL cert as a pfx file and then imported it using IIS on the new box.  When visiting the new box, IE 7 issues no warning but Firefox does issue a warning about the authenticity of the SSL.  Is there anything special I need to do when exporting/importing an SSL cert?
Question by:BendOverIGotYourBack
  • 3
LVL 14

Accepted Solution

Scott Bennett earned 900 total points
ID: 19535014
you need to use microsoft management console to do it follow these steps:

Exporting/Backing up your Certificate/Private Key in IIS (.pfx file format)
1.) Start > Run
2.) Type in MMC and click OK
3.) Go into the File Tab > select Add/Remove Snap-in...
4.) Click on Add > Double Click on Certificates and click on Add > OK
5.) Select Computer Account
6.) Select Local Computer
7.) Click the + to Expand the Certificates Console Tree
8.) Look for the Personal directory/folder and expand Certificates.
9.) Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
10.) Follow the Certificate Export Wizard to backup your certificate to a .pfx file
11.) Choose to 'Yes, export the private key'
12.) Choose to include all certificates in certificate path if possible. (do NOT select the delete Private Key option)
13.) Leave default settings > Enter Password (if required)
14.) Choose to save file on a set location
15.) Finish
16.) You will receive a message > Export Successful
17.) The .pfx file backup is now saved in the location you selected.
18.) If you have a CD-Rom burner we suggest that you backup the pfx file, a copy of the Intermediate Root Certificate (DigiCertCA.crt) & Root Certificate (TrustedRoot.crt) to a CD.
Importing your Certificate/Private Key in IIS (from .pfx file format)
1.) Start > Run
2.) Type in MMC and click GO
3.) Go into the Console Tab (or File) > select Add/Remove Snap-in
4.) Click on Add > Double Click on Certificates and click on Add > OK
5.) Select Computer Account
6.) Select Local Computer
7.) Click the + to Expand the Certificates Consol Tree
8.) Right click on the Personal Certificates Store (folder)
9.) Choose > ALL TASKS > Import
10.) Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
11.) Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.
12.) In your IIS manager, right-click on the site that you would like to use the certificate and select properties.
13.) Click on the Directory Security Tab and hit the Server Certificate Button. This will start the server certificate wizard.
14.) If you are asked what you want to do with the current certificate on the site, choose to remove it, finish the wizard, and click the server certificate button to run the wizard again.
15.) Choose to 'Assign an existing certificate' to the site and choose the new certificate that you just imported.
16.) Finish the certificate wizard.
17.) Restart the server.
LVL 34

Expert Comment

ID: 19536811
Short answer - no.

Longer answer - I have seen odd bahavior in the way FireFox handles PKI authentication.  The simple fact that it will let you trust a certiuficate rather than requiring you to trust the issuer is odd in and of itself.

It does not surprise me to see FireFox throwing an SSL error where IE7 isn't if there is any difference in the server that is actually serving the web pages.  Chances are that the certificate is valid and that FireFox is just acting strange.  If there was actually a problem with the certificate IE would complain as well.

Dave Dietz
LVL 14

Assisted Solution

by:Scott Bennett
Scott Bennett earned 900 total points
ID: 19537198
you will need to make sure you choose to "include all certificates in certificate path", that may be a problem if you didn't.

Assisted Solution

servitinfo earned 100 total points
ID: 19564157
The problem is that you have a missing sub-CA or intermediate roots. The thing is that IE doesn't check the intermediate roots where FF does.
LVL 14

Expert Comment

by:Scott Bennett
ID: 19566773
yes if you don't select the "include all certificates in certificate path" option, then the intermediate certs will not be imported into the new site and some browsers will break, depending on how their trusted certificate authorities are set up (each browser has its one way of handling trusted certificate authorities).

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Following on from our article on "The Murky World of Consent and opt in", we thought we would issue some helpful guidance, not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can p…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question