Windows Server 2019 – Exporting and importing certificates

How to change the time zone on Windows Server 2019

I often find myself needing to use the same SSL certificate on multiple servers. This might happen in the case where I have more than one IIS server serving up the same website and I am using some form of load balancing to split the traffic between them. This need may also arise when working with any form of hardware load balancer, as you sometimes need to import certificates onto not only the web servers themselves, but into the load balancer box. Another example is when using wildcard certificates; when you purchase a wildcard, you typically intend to install it onto multiple servers.

Does this mean that I need to generate a new CSR from each server, and request a new copy of the same certificate multiple times? Definitely not, and in fact doing so could cause you other problems: when a public CA re-keys a certificate—in other words, if you have already requested a certificate with a particular name and then come back again later to request another copy of the same certificate—that CA may invalidate the first one as it issues the second copy. This is not always immediately apparent, as there is usually a timer set on the invalidation of the first certificate. If you revisit the CA’s web interface and request a new copy of the same certificate using a new CSR for your second web server, you might discover that everything works fine for a few days, but then suddenly the primary web server stops validating traffic because its SSL certificate has expired.

What should we do? When you need to reuse the same SSL certificate on multiple servers, you can simply export it from one and import it on the next. There is no need to contact the CA at all. This process is quite straightforward, and there are two common places where you can do it: inside either the MMC snap-in for certificates, or from within IIS itself. It is important to note, though, that the process is slightly different depending on which avenue you take, and you have to be especially aware of what is happening with the private key as you step through these wizards.

Exporting from MMC

Head back into your Local Computer certificate store in the MMC, and navigate to Personal | Certificates so that you can see your SSL certificate listed. Right-click on the certificate, and then navigate to All Tasks | Export…. When you walk through this export wizard, the important part that I wanted to mention happens right away in the wizard steps. The first choice you have to make is whether to export the private key. Again, the private key is the secret sauce that allows the certificate to interact properly with the server on which it is installed. If you export without the private key, that certificate will not work on another server. So it is important here that, if you are exporting this certificate with the intention of installing it onto a second web server and using it for validating SSL traffic, you select the top option for Yes, export the private key:

As the wizard sufficiently warns you, when you choose to export a certificate that contains the private key information, you are required to supply a password, which will be used to protect the exported PFX file. It is important to choose a good password. If you forget it, your exported file will be completely useless. If you input a password that is very simple or is easy to guess, anyone who gets their hands on this PFX file may be able to use your certificate and private key on their own web servers, which would not be good.

Exporting from IIS

Inside the Server Certificates applet for IIS, just right-click on the certificate and choose Export…. This launches a single-page wizard that simply asks you for a location and password:

We had many more options that we could have chosen or denied when we exported using MMC, so why is this so short? IIS makes assumptions for the rest of the settings in order to speed up the export process. When you are exporting an SSL certificate, the chances are that you also intend to export the private key. Therefore, IIS simply makes that assumption and bypasses the rest of the choices. You are forced to enter a password because you don’t have a choice about the private key; it will be included with the certificate export automatically. So, if you had some reason to export a certificate that did not contain the private key info, you could not utilize the IIS console for this task. You would need to open up MMC and walk through the more extensive wizard found there.

Importing into a second server

Whichever direction you take for accomplishing the export, once you have the fully-fleshed PFX file available, importing into your second server is very easy. From within either console, MMC or IIS, you can right-click and choose the Import action. Walking through the steps, you simply choose the PFX file and then input the password that you used to protect the file. The certificate then imports, and, if you open the properties, you will see that the little key icon and the private key message are displayed properly at the bottom of the certificate properties screen. If you do not see the you have a private key message, you did something incorrectly during the export process and you’ll need to try it again.

Go ahead and try it yourself; find a server with an SSL certificate and test exporting that cert with and without the private key. When you import into a new server, you will see that importing the certificate file without a private key does not contain this message at the bottom of the properties page, but the exported file that does contain the private key, results in the proper message here. To take it a step further, try utilizing both certificates on a non-important website and see what happens. You will find that the certificate that lacks the private key will fail to validate SSL traffic.

If you attempt to export an SSL certificate and the option to include the private key is grayed out, this means when the original administrator installed this certificate to the web server, they chose a special option that blocks the ability for the private key to be exported in the future. In this case, you will not be able to export the certificate with the private key.

Comments are closed.