We help IT Professionals succeed at work.

SSL Cert Export/Import Question

Medium Priority
Last Modified: 2013-12-07
Recently had to move our web server to a different box, both old/new were running 2003 standard.  I went into IIS and chose to export the SSL cert as a pfx file and then imported it using IIS on the new box.  When visiting the new box, IE 7 issues no warning but Firefox does issue a warning about the authenticity of the SSL.  Is there anything special I need to do when exporting/importing an SSL cert?
Watch Question

Manager Technology
you need to use microsoft management console to do it follow these steps:

Exporting/Backing up your Certificate/Private Key in IIS (.pfx file format)
1.) Start > Run
2.) Type in MMC and click OK
3.) Go into the File Tab > select Add/Remove Snap-in...
4.) Click on Add > Double Click on Certificates and click on Add > OK
5.) Select Computer Account
6.) Select Local Computer
7.) Click the + to Expand the Certificates Console Tree
8.) Look for the Personal directory/folder and expand Certificates.
9.) Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
10.) Follow the Certificate Export Wizard to backup your certificate to a .pfx file
11.) Choose to 'Yes, export the private key'
12.) Choose to include all certificates in certificate path if possible. (do NOT select the delete Private Key option)
13.) Leave default settings > Enter Password (if required)
14.) Choose to save file on a set location
15.) Finish
16.) You will receive a message > Export Successful
17.) The .pfx file backup is now saved in the location you selected.
18.) If you have a CD-Rom burner we suggest that you backup the pfx file, a copy of the Intermediate Root Certificate (DigiCertCA.crt) & Root Certificate (TrustedRoot.crt) to a CD.
Importing your Certificate/Private Key in IIS (from .pfx file format)
1.) Start > Run
2.) Type in MMC and click GO
3.) Go into the Console Tab (or File) > select Add/Remove Snap-in
4.) Click on Add > Double Click on Certificates and click on Add > OK
5.) Select Computer Account
6.) Select Local Computer
7.) Click the + to Expand the Certificates Consol Tree
8.) Right click on the Personal Certificates Store (folder)
9.) Choose > ALL TASKS > Import
10.) Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
11.) Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.
12.) In your IIS manager, right-click on the site that you would like to use the certificate and select properties.
13.) Click on the Directory Security Tab and hit the Server Certificate Button. This will start the server certificate wizard.
14.) If you are asked what you want to do with the current certificate on the site, choose to remove it, finish the wizard, and click the server certificate button to run the wizard again.
15.) Choose to 'Assign an existing certificate' to the site and choose the new certificate that you just imported.
16.) Finish the certificate wizard.
17.) Restart the server.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2007

Short answer - no.

Longer answer - I have seen odd bahavior in the way FireFox handles PKI authentication.  The simple fact that it will let you trust a certiuficate rather than requiring you to trust the issuer is odd in and of itself.

It does not surprise me to see FireFox throwing an SSL error where IE7 isn't if there is any difference in the server that is actually serving the web pages.  Chances are that the certificate is valid and that FireFox is just acting strange.  If there was actually a problem with the certificate IE would complain as well.

Dave Dietz
Scott BennettManager Technology
you will need to make sure you choose to "include all certificates in certificate path", that may be a problem if you didn't.
The problem is that you have a missing sub-CA or intermediate roots. The thing is that IE doesn't check the intermediate roots where FF does.
Scott BennettManager Technology

yes if you don't select the "include all certificates in certificate path" option, then the intermediate certs will not be imported into the new site and some browsers will break, depending on how their trusted certificate authorities are set up (each browser has its one way of handling trusted certificate authorities).
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.