• 15
name Punditsdkoslkdosdkoskdo

How can I move certificates from 1 server to another

I'm using StartSSL which , after you proove who you say you are, provides a certificate which I can install to authenticate myself. I have some SSL certificates associated with this account.

I've bought a new server, and I need to move the certificates over, but I'm failing.

On my 'old W28k server', I went into Firefox, and viewed the certificates. I then exported them all, zipped them up and emailed them to my new W2012 server.

On my new server, I've registered with StartSSL and can authenticate, but now realise I have to use my old certificate.

When I open the certificate it shows I can install it, which I do, and the wizard gives the option to let it choose the best place to install it.

I've done, but when I now go to StartSLL I can't get authenticated.

Have I installed the certification incorrectly?

    • @EEAA, the certificate was exportable from the Certficiates section in the browser. Is the private key in the same place or else where?
    • The key is not exportable through the browser. Think about that: if it were, anyone could export your key and certificate and then impersonate your site. I'm not familiar enough with Windows to give you further guidance, but you'll likely need to use the IIS tools or another command-line tool to export the private key.
    • @MyDaftQuestions the confusion here arises from the lack of clarity in your question. Your title being "how can I move certificates from 1 server to another" would tend to suggest the more common task of moving SSL/TLS certificates from one (web?)server to another, but in your case you are moving a personal identification certificate (which arguably you wouldn't normally even use on a server to request new SSL/TLS certs anyway, but on your own machine for example).

You need to export the certificate as a whole - not just the certificate itself but also the private key, as pointed out by @EEAA in the comments below your question.

As per the MS documentation on TechNet:

  1. Open the Certificates snap-in for a user, computer, or service.
  2. In the console tree under the logical store that contains the certificate to export, click Certificates.
  3. In the details pane, click the certificate that you want to export.
  4. On the Action menu, point to All Tasks, and then click Export.
  5. In the Certificate Export Wizard, click Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
  6. Under Export File Format, do any of the following, and then click Next. To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box.To delete the private key if the export is successful, select the Delete the private key if the export is successful check box.To export the certificate's extended properties, select the Export all extended properties check box.
  7. In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.
  8. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key. Click Next, and then click Finish.

You more or less need to reverse these steps on the new server to import the certificate and private key there.

EDIT: it's also worth noting, that since you mention in your question that you attempted exporting these personal identification certificates from Firefox, that you should identify whether or not you did indeed import the personal identification certificate to Firefox only or also to the system's certificate store (for use in IE and/or Chrome for example, whereas Firefox uses its own certificate store). Finally you might find it useful to use the StartSSL FAQ for such issues in future as a first-port-of-call. To back up the client certificate from Firefox, follow these steps from the StartSSL FAQ page:

Select "Preferences|Options" -> "Advanced" -> "Certificates" -> "View Certificates", choose the "Your Certificates" tab and locate your client certificate from the list. The certificate will be listed under StartCom. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.

  • 2
Reply Report
    • This is the problem, I have no back up option... Only export. Your details way go to Encryption tab, I don't have that, only a Certificates tab. I click View Certificates and find the StartCom in the list - my options are View, Edit Trust, Import, Export, Delete or Distrust! If I export, I am not prompted to provided a password. I also have half a dozen certs, I assume I need to do this with the Class 2 certificate (which is a Software Security Device)?
      • 1
    • It sounds like you're on the wrong tab - you need the 'Your Certificates' tab, which is the left-most tab in the certificate manager on the latest version of Firefox.
      • 2
    • I don't believe it. I was on the wrong tab. I'd seen in the instructions, I'd read the instruction, I just didn't follow them. Thanks for being so patient!

So, as far as I understand, you don't ask about importing/exporting SSL Certificates in gerneral (e.g. the ones you use for IIS) but the client authentication certificate from StartSSL?

In that case, you have to re-import it into Firefox. To do this, got to Options --> Advanced --> Certificates --> View Certificates --> on the Tab "My Certificates" --> Import

You can then log in to StartSSL.

Hope this helps...

  • 1
Reply Report
    • In Firefox: Options --> Advanced --> Certificates --> View Certificates --> on the Tab "My Certificates" select the one you want to export --> Backup. In the save dialog window choos PKCS12 format, this should contain the private key

You can export both the cert, and the key using this procedure: https://technet.microsoft.com/en-us/library/cc754329.aspx One thing to note however is "A private key is exportable only when it is specified in the certificate request"

If the key is exportable the cert export wizard will give you the option. If its non-exportable there are a few tools (jailbreak for non-64 bit systems, and mimkatz) that say they can export non exportable keys but I have no experience with them so I have no clue how well they work.

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags