We help IT Professionals succeed at work.

SSL Certs and NLB config?

Westez
Westez used Ask the Experts™
on
Moving cert from a single Win2003-IIS 6 box to a pair of Win2008-II7 boxes that are load balanced but not an IIS 7 shared config.  Can we assign the one cert to both boxes?

The cert is assigned the name of the website and not the server.  The site name and the ip address will be assigned to the win08 servers.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Principal Consultant
Commented:
add ip for SSL to NLB

export cert to .pk7 format.

import cert into new servers certificate stores.

bind both sites to nlb IP.  bind cert to site

cert can be used on both servers.  Cert must be for website name.

have fun!
If the certificate has the website name, of course you can

Author

Commented:
If your moving the cert from one server to another wouldn't you need to export the private key?
hi Westez,

As said earlier by the experts, it is possible to install the same certificate on multiple servers. perhaps if this cert is purchased from third party CA like verisign then you need to think about the licensing part as they issue based on the no. of years X no. of servers.

happy cert migration :)
forgot, here is the steps to export the private key

Importing your Certificate/Private Key (from .pfx file format)

    Start > Run
    Type in MMC and click OK
    Go into the File Tab > select Add/Remove Snap-in
    Click on Certificates and click on Add.
    Select Computer Account > Click Next
    Select Local Computer > Click Finish
    Click OK to close the Add/Remove Snap-in window.
    Double click on Certificates (Local Computer) in the center window.
    Right click on the Personal Certificates Store (folder)
    Choose > ALL TASKS > Import
    Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. You will need to browse for .pfx files.
    Enter the password that was used when exporting the certificate to a .pfx file.
    If desired, check the box to "Mark this key as exportable."
    When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
    Click Finish to close the certificate wizard.
    Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.

hope this would help.
Greg HejlPrincipal Consultant

Commented:
exporting the cert doesn't move it - it's a copy

and can be imported into certificate store of second server.

then open IIS manager, open server certificates, and you will see your certificate there.

highlight your website - click on bindings - edit the https entry and add the certificate.

i did this three times already today!

Author

Commented:
I'll admit I dont' do this that often, and I found this link before I posted up. And I understand it's a copy and not a move.  The comment save it as a .pk7 file is what I was asking about, because you don't save the private key in that format.  I'm thinking that if your going to export from one box and import on another box your going to want that private key.

http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html

And thanks for the detailed explanations.
Greg HejlPrincipal Consultant

Commented:
there is a switch in the import wizard that makes the certificate exportable - this brings the private key with the cert.

Author

Commented:
Thanks guys, if I get jammed up i'll yelp:)