Problem : Sometimes we get a CSR from the user to create the SSL certificate but we dont have access to IIS to install the certificate back to that IIS and we need the SSL in PFX\P12 format as well.
Resolution :
When Ever you create a CSR (Certificate Signing Request) a Private Key is also create in the background. This Private key is used to Install the certificate back to IIS , when you receive the certificate in .CER format against that CSR file. This Primary Key resides only on the server from where the CSR file was created and is never shared by anybody.
Suppose you dont have access to IIS to install the CER file and need a PFX certificate to install that SSL on other server as well. In that case following steps needs to taken.
Backup Your Private Key :
To backup a private key on Microsoft IIS 6.0\7.5\8.5 follow these instructions:
1. From your server, go to Start > Run and enter mmc in the text box. Click on the OK button.
2. From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in.
3. Click on the Add button. Select Certificates from the list of snap-ins and then click on the Add button.
2. From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in.
3. Click on the Add button. Select Certificates from the list of snap-ins and then click on the Add button.
4. Select the Computer account option. Click on the Next button.
5. Select the Local computer (the computer this console is running on) option. Click on the Finish button.
6. Click on the Close button on the snap-in list window. Click on the OK button on the Add/Remove Snap-in window.
7. Click on Certificates from the left pane. Look for a folder called REQUEST or "Certificate Enrollment Request> Certificates
6. Click on the Close button on the snap-in list window. Click on the OK button on the Add/Remove Snap-in window.
7. Click on Certificates from the left pane. Look for a folder called REQUEST or "Certificate Enrollment Request> Certificates
8. Select the private key that you wish to backup. Right click on the file and choose > All Tasks > Export
9. The certificate export wizard will start, please click Next to continue. In the next window select Yes, export the private key and click Next
10. Leave the default settings selected and click Next.
11. Set a password on the private key backup file and click Next 12. Click on Browse and select a location where you want to save the private key Backup file to and then click Next to continue. By default the file will be saved with a .pfx extension.
13. Click Finish, to complete the export process.
Convert the Private Key from PFX to RSA Private Key Format (.Key File)
The private key is backed up as a ‘.pfx’ file, which stands for Personal Information Exchange.
To convert it to RSA Private Key format supported by most of the servers\systems.
1. Download and install latest version of OpenSSL for windows from http://www.slproweb.com/products/Win32OpenSSL.html.
2. OpenSSL requires Visual C++ Redistributables which can be downloaded from
3. First Install the Visual C++ Redistributables and then Win32OpenSSL which you downloaded from Above Link.
4. Open command prompt a, navigate to C:\OpenSSL-Win32\bin>, and run the following commands.
Set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg
5. First we will convert the Private key (Which we had backed up in .PFX format) to .PEM format using following command.
openssl pkcs12 -in PrivateKeyFilename.pfx -nocerts -out key.pem
6. Now We Will convert that .PEM file to much awaited .KEY file using following command.
openssl rsa -in key.pem -out PrivateKeyFilename.key
Now you have both the fiels with you (. CER & .KEY ) which will be used to create the certificate in .PFX format which I will share in my next Blog.
Cheers!!!
