Windows Server 2016 – Moving an SSL certificate from one server to another

How to Install Windows Server 2019

There are multiple reasons why you may need to move or copy an SSL certificate from one web server to another. If you have purchased a wildcard certificate for your network, you are probably going to use that same certificate on a lot of different servers, as it can be used to validate multiple websites and DNS names. Even if you are using singularly named certificates, you may be turning on multiple web servers to host the same site, to be set up in some sort of load-balanced fashion. In this case, you will also need the same SSL certificate on each of the web servers, as they could all potentially be accepting traffic from clients.

When moving or copying a certificate from one server to another, there is definitely a right way and a wrong way to go about it. Let’s spend a little bit of time copying a certificate from one server to another so that you can become familiar with this task.

Getting ready

We have two Server 2016 boxes online in our environment. These are both destined to be web servers hosting the same website. IIS has been installed on both. The SSL certificate that we require has been installed on the primary server. We now need to export the certificate from there and import it successfully onto our second server.

How to do it…

Follow these steps to copy a certificate from one server to another:

  1. On your primary web server, launch Internet Information Services (IIS) Manager from the Tools menu of Server Manager.
  2. Click on the name of your server in the left-hand window pane.
  3. Double-click on the Server Certificates applet to view the certificates currently installed on this system.
  4. For our example, I am using a wildcard certificate that has been installed on this server. Right-click on the certificate and choose Export….:
  1. Choose a location to store this exported file and enter a password that will be used to protect the file:
  1. Clicking OK will create a PFX file and place it onto your Desktop (or wherever you told it to save). Now copy this PFX file over to your secondary web server.
  2. Open up the IIS Management console on the second server and navigate to the same Server Certificates location.
  3. Right-click in the center pane and choose Import…. Alternatively, you could choose the Import… action from the right-hand window pane.
  4. Browse to the location of your certificate and input the password that you used to protect the PFX file.
  1. Before clicking OK, decide whether or not you want this certificate to be exportable from this secondary server. Sometimes this is desirable if you plan to have to export the certificate again in the future. If you do not have a reason to do that, go ahead and uncheck this box. Unchecking Allow this certificate to be exported helps to limit the places where you have certificates floating around the network. The more you have out there that are potentially exportable, the more chance you have of one getting out of your hands:
  1. Once you click OK, your certificate should now be installed and visible inside the IIS window.
  2. Double-click on the certificate and check over the properties to make sure everything looks correct. Make sure that you see the message across the bottom that says You have a private key that corresponds to this certificate. If that message is missing, something didn’t work properly during your export and the private key was somehow not included in the certificate export that you did. You will have to revisit the primary server and export again to make sure that the certificate on the secondary server does contain private key information, or it will not work properly:

How it works…

We used the IIS management console to export and import an SSL certificate, which is a pretty straightforward and simple task to do once you understand the process. The critical part is making sure that your export includes the private key information. If it does not, the certificate will not be able to validate traffic properly. Using IIS to accomplish this task is the best way to move certificates. You could also make use of the MMC snap-in for certificates, but it is a little more complicated. If you try to use that console, you will be asked whether or not you want to export the private key. The default option is set to No, do not export the private key. It is a common mistake to leave that setting in place and wonder later why the certificate doesn’t work properly on other servers where you have installed it. You must make sure to select the option Yes, export the private key.

Comments are closed.