Export SSL Certificate Signed by Public Certificate Authority to New IIS 7.5 Server
In a previous post I discussed Installing a Certificate in IIS 7.5 From a Public Certificate Authority. In my example I used a certificate issued by StartCom’s Free SSL Certificate Authority. As an addon I will cover exporting this certificate to another IIS 7.5 server. Like many public CA’s StartCom makes use of a certificate chain with an intermediate certificate CA certificate as shown below.
StartCom Certification Authority
…….StartCom Class 1 Primary Intermediate Server CA
…………..Your StartCom Issued Certificate
When you create a Certificate Request on an IIS server to the CA and later complete that request, the intermediate cert is automatically added to the IIS server’s certificate store. However, if you export your certificate to a new IIS server you must also import the intermediate cert on the new IIS server for the chain of trust to be maintained. This is best practice from a security perspective.
Some browsers such as Internet Explorer will go out to the internet and attempt to import the intermediate cert to your client if it is not available on the web server. Other browsers such as Firefox will not do this and the intermediate cert needs to be available on your web server for the browser to be able to import it. If the intermediate is not available on the IIS server, Firefox will not see your certificate as being validly trusted.
Export and Import Web Site Certificate Through IIS
First let’s export our public CA issued certificate. IIS makes this very easy. Go to Start > Admin Tools > IIS Manager.
Click your server name in the left pane tree, then in the center scroll down and double click Server Certificates.
Highlight the certificate from the public CA (in my case StartCom). Note how it is issued by the StartCom Class 1 Primary Intermediate Server CA. In the right Actions pane click Export.
Enter a name and password. Make sure the certificate export file name has the “.pfx” extension. Click OK.
Now switch over to the new IIS server and go into IIS Manager.
Again highlight the server name on the left, scroll down and double click Server Certificates in the center.
In the right Actions pane click Import.
Enter the pathname and password used to encrypt the certificate file, then click OK.
Pages: 1 2