Moving an SSL certificate from one Windows server to another is possible by exporting a PFX file from the server the certificate is already installed on and importing it to another server. Creating a PFX file is the only way to transfer the certificate with the corresponding private key from a Windows server. In addition to the certificate and the private key, a PFX file may also contain the intermediate certificates as well. Altogether, this makes PFX a unified, password-protected container for exchanging certificate information (public and private keys) in a single file.
Exporting a certificate from a Windows server can be done either in Microsoft Management Console (MMC) or via IIS Manager if the certificate was already installed.
Export using MMC
- Press Win+R, type in mmc and click OK to open Microsoft Management console:
- Click File in the Menu Bar and then select Add/Remove Snap-in:
- Select Certificates from the Available snap-ins field and click Add:
- Choose Computer account:
- Select Local Computer to manage the snap-in.
Note: To see the certificates in the local computer store, you should be logged in as Administrator.
- Click OK to add the selected snap-in to the console window:
- Go to the Personal >> Certificates store, right-click on the certificate you want to export, and select All Tasks >> Export:
- When the Certificate Export Wizard opens, click Next to proceed:
- When prompted, select Yes, export the private key and press Next:
If the Yes, export the private key option is not clickable, this means that the private key for the certificate is not exportable or is absent from the machine, and you will not be able to export a PFX file.
This may happen when the CSR code was created on a different server and the private key is not present on the current machine, or if the imported certificate was initially uploaded without the private key. To solve the issue you will need to generate a new CSR code with an exportable private key and reissue your certificate.
- In the Export File Format dialogue window select Personal Information Exchange - PKCS #12 (.PFX) as the format you want to use. You may also check the Include all certificates in the certification path if possible option to place all intermediate certificates into the PFX file. Once done, click Next:
- Specify the password for the PFX file and click Next.
This password is very important. Please remember it; this password will be required when importing a PFX file on a new server.
- Specify the location and name of the file where PFX will be exported. Click Next:
- To complete the wizard, click the Finish button. The certificate along with the private key has been successfully exported to the PFX file:
Export using IIS
- Go to Start >> Administrative Tools >> Internet Information Services (IIS) Manager.
- Select the server on which the certificate is installed.
- Choose the Server Certificates option on the central menu:
- Right-click on the needed certificate and select Export.
Only the certificates associated with private keys are shown in the list of server certificates in IIS Manager.
- Specify the filename, location, and PFX export password and click OK:
A PFX file has now been exported and can be found in the specified location.
Importing a certificate on a new server can be also performed by using either Microsoft Management Console or IIS Manager.
Import using MMC
- Add the Certificates (Local Computer) snap-in to MMC by following the steps described above.
- Once added, right-click on the Personal store >> All Tasks >> Import:
- The Certificate Import Wizard will be launched, press Next:
- Using the Browse button choose the .pfx file that you want to import to your server, press Next:
- Enter the PFX file password that was specified during the creation of the .pfx file.
You may select Mark this key as exportable so that you can export the certificate with the private key from this server later. Then click Next:
- In the next dialogue window, choose Automatically select the certificate store based on the type of certificate. This will allow MMC to place the certificates from the .pfx file in the corresponding folders if the file also contains intermediate certificates. Click Next:
- Click Finish. The certificate has been imported to the server and can be now assigned to the website:
Once the certificate is imported, please keep in mind that the binding to a secured port has to be created for the website to use it.
- To do this, select the Sites folder in the Connections panel on the left side of IIS Manager and click on the corresponding site. Then, in the Actions panel on the right side, select Bindings….
- Click Add... on the right side of the Site Bindings window.
- The next pop-up window will feature several fields that need to be modified:
- Type - select "https" from the drop-down menu;
- IP address - choose the specific IP address or "All Unassigned";
- Port - specify the port number for a secure connection. The default port number is 443;
- SSL certificate - select the corresponding certificate, identified by the previously specified Friendly name.
- Require Server Name Indication - please make sure to select this option in order for the server to use the proper certificate for the specific domain name. Do not use the same SSL for all the sites hosted on the server.
- Click OK to bind the certificate with the site. The new entry should appear in the Site Bindings window.
Note: Usually, there is no need to restart the server, so after the SSL certificate has been installed and the binding created, your site should become accessible via https:// in a browser.
To check if the certificate has been successfully installed, you can use this tool.
Import PFX using IIS Manager
- Launch Internet Information Services Manager (Start >> Administrative Tools >> Internet Information Services (IIS) Manager), and choose the server the certificate should be imported to.
- Double-click Server Certificates in the central menu.
- Click the Import button in the right-hand menu:
- Locate the PFX file on your machine and specify the password that was used when exporting the certificate. Optionally, you may check Allow this certificate to be exported. Then, click OK:
Assigning a certificate to a website
Once the certificate has been imported by any of the methods described above, it will be shown in the list of server certificates in IIS Manager.
After that, please make sure to complete the binding of the certificate to a specific website.
You can find more information on how to bind the certificate to a website in IIS in this installation guide.