Need to make a certificate generated in Open SSL / Thawte work in IIS6 (Private Key is missing from the Cert)

Posted on 2007-10-14
Last Modified: 2008-02-26
Hi All,

I have generated a certificate signing request via openssl and have sent it to thawte for a cert.
I received the cert back however when i try to use it in IIS the private key is missing from the cert.
From what I have read, IIS prefers to create its own CSR and automatically installs the  Private key.
However, I now have a .key file and a seperate thawte key that I need to get working in IIS6.

Points to note...

The current certificate on the IIS6 website was generated from MS Domain server CA, and when viewed has Private key mentioned at the bottom.  ( This cert works, however we purchased a thawte cert to get around those pesky messages )

The Thawte Cert does not have the private key mentioned when viewed.

Google has not found me anything usefull, so I am hoping one of you can help me out.

Question by:medfacit
    LVL 1

    Accepted Solution

    you need to koji certificate you got from thawte and the key you generated yourself into a single pkcs12 file, and then import it using standard procedure for certificates (using mmc and certificates snap-in)

    Creation of pkcs12 file:

    Openssl pkcs12 -export -out file.p12 -inkey privatekey.key -in certificate.crt

    Author Comment


    TN 5768 - How do I move an SSL server certificate from Apache to IIS 5?

    In order to transfer an existing keypair from Apache to IIS 5.0 you must convert the private key and Entrust SSL certificate to single  P12 file using OpenSSL


    1.  Convert the keypair to a P12 format (PFX)

    Openssl pkcs12 -export -out file.p12 -inkey privatekey.key -in certificate.crt

    "file.p12" is your new container file
    "Privatekey.key" is the name of your existing private key
    "certificate.crt" is your Entrust SSL certificate


    [root@Apache9 conf]# openssl pkcs12 -export -out keypair.p12 -inkey /etc/httpd/conf/ssl.key/apache9-0.key -in /etc/httpd/conf/ssl.crt/apache9-0.crt
    Enter pass phrase for /etc/httpd/conf/ssl.key/apache9-0.key:
    Enter Export Password:
    Verifying - Enter Export Password:
    [root@Apache9 conf]#

    As shown in the example above, you must know the current password of the original private key if set at the time the private key was created.  You may then specify a password for the export file and transfer this file to your IIS 5.0 machine that is going to host the site.

    2. Adding your Certificate Snap-In

    Once you have transferred the P12 file to the IIS 5.0 machine, the Certificates snap-in utility must be installed in order to import your P12 file.

    In Windows 2000 Use the following steps to create a new Microsoft Managua Console (MMC) and add the

    Click Start, and then click Run.
    Type in "MMC" (without the quotation marks) and click OK.
    Click Console in the new MMC you created, and then click Add/Remove Snap-in.
    In the new window that appears, click Add.
    Highlight Certificates, and then click Add.
    Choose the Computer account option and click Next.
    Select Local Computer on the next screen, and then click Finish.
    Click Close, and then click OK.

    3. Importing your P12 file:

    From the MMC console opened in the above process:
    Expand the 'Certificates' tree in the left preview panel
    Right-click 'Personal'
    Select All Tasks/Import - The Certificate Import Wizard appears.
    Select Next to continue.
    Browse to, and Select your P12 keypair file.
    Select Next to continue.

    Supply the password which was provided during the creation of the P12 keypair file.
    N.B. Be sure the 'Mark the key as exportable' option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to ensure that no one can make a backup of your private key.

    Select Next twice to continue and Finish

    Select OK to complete the Import.
    You have successfully imported your P12 keypair into the Windows certificate store.

    4. Assign the certificate to the IIS 5.0 site

    To enable IIS 5.0 to use this certificate please follow the steps proceeding:

    Go into the properties of the site and choose the Directory Security tab
    Click on Server Certificate button under Secure Communication area.
    Choose the option "Assign an existing certificate"
    A pop up will appear with your certificate. Choose the certificate and finish the wizard.
    Make sure that SSL Port 443 is open on the firewall and within IIS 5 (default tab)
    Stop and Start the website.


    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
    When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now