You find yourself in the situation where you have a viable HTTPS certificate running on a Linux, and you would like to run that same server certificate on Internet Information Services (IIS). Most of the documentation assumes you already have the .pfx file, or you can simply export it from your IIS web server, which will only waste your time until you realize the magic is how to move a HTTPS certificate from a non-IIS server to an IIS server. Here’s how.
Simplified HTTPS Certificates
A large impediment to understanding HTTPS certificates, might be the bewildering number of mentioned file names and extensions like .key, .pem, .cer, .crt, or whatever creative authors can dream up.
Forget all those file extensions, simply because they don’t matter, extensions are NOT required, and there is no naming standard. Leaving behind file names and extensions, we can focus on the contents of those files for our understanding.
- HTTPS Certificates consist of at least two parts:
- a private key
- a public certificate
- Each part might be stored in separate files
- Microsoft stores all the parts in a single file with a .pfx extension
- The private key MUST be contained within a .pfx file before it can be imported for use by IIS
Get the PFX File Parts
- .pfx files are not plain text, but contain the certificate parts in the pkcs12 format, including the server private key you need
- Two sources of .pfx files:
- exported from existing windows certificate store
- create it from private and public parts
In our case, we do not have the private key in a windows certificate store yet, so we will gather the certificate parts from a Linux server set up with HTTPS for the domain(s) we want to setup on IIS.
Using your hosted domain’s control panel, navigate to the SSL/TLS options, and then follow the Export Private Key link. Upon export, text similar to the example below should appear. Including the BEGIN and END lines, this is your server’s HTTPS private key.
-----BEGIN RSA PRIVATE KEY----- MIIEogIBA+AK … many lines & characters … X7NAoupJK/aueY= -----END RSA PRIVATE KEY-----
Save it as a plain text file on your local computer. As stated, the name and extension do not matter, but you will see it referenced in this article as private.key.
While in the SSL/TLS area, also export the public certificate, and, if included with this certificate, the certificate authority bundle (CAbundle). The bundle is just one more part of some certificates. Both the public certificate and bundle certificate will begin and end like this example.
-----BEGIN CERTIFICATE----- MIIEogIBA+AK … many lines & characters … X7NAoupJK/aueY= -----END CERTIFICATE-----
Save these parts into their own files. Name them whatever you like, with or without extension, but in this article they will be referred to as public.crt and CAbundle.crt
Now you should have two or three https certificate parts in plain text files that will be converted into a .pfx file required to enable TLS on one or more IIS sites.
Creating the PFX File
Options like this online converter exist, but referring to security, they themselves recommend using OpenSSL on your own server. I’m assuming you either don’t have access to your server’s console or command line, don’t want to learn how, or don’t trust a web converter with your server’s private key.
OpenSSL seemed to be the tool by consensus in 2020. More info and windows binaries were listed at openssl.org. In this exercise of OpenSSL for windows, the offering from FireDaemon was used. Installation on windows included: download the zip, unzip to C:\OpenSSL
Once you have proved your OpenSSL installation by running the command ‘openssl version’, use the syntax below, in a RunAs Administrator command prompt to convert your part files into a .pfx file. In this case, use the extension .pfx to satisfy windows import.
In your one line convert command, adjust paths to openssl.exe and/or the certificate parts. One option is to move those parts files to same directory that contains the version of openssl.exe you intend to use.
Replace ‘YourPassword’ with your own. Keep it safe somewhere.
Remove the ‘-certfile CAbundle.crt’ option if you didn’t have the CAbundle part of the certificate.
openssl -pkcs12 -export -out your.pfx -inkey private.key -in public.crt -certfile CAbundle.crt -name friendly.name -password pass:YourPassword
With your hard-earned .pfx file, you can copy/move the server private key to any number of IIS servers.
Import HTTPS Certificate on IIS
Using IIS Manager > Server > Server Certificates > Import
Input/browse to the .pfx file, provide the password.
The HTTPS certificate should immediately show in the list of certificates.
Bind https to IIS Site
Using IIS Manager > Server > Sites > Site > Edit Site.
Open the ‘Bindings…’ dialog, add/edit the site binding for https.
Leave host name empty if enabling https for multiple subdomains, as is the case for wildcard certificates.
Browse your site using https://your.site.com to confirm the HTTPS server private key is functioning. Take a break.