Depending on your network you may have to move your SSL/TLS server certificate and its private key from one system to another. This article covers how to move your SSL certificate, its private key, and its intermediate CA from Apache to pfx also known as a pkcs#12 file. This will require a conversion using OpenSSL that is on the Apache System.
Apache systems are very customizable. The directory location and naming of the individual files needed vary depending on your personalized system. Below are generalized instructions.
We will start by assuming that you have already successfully installed the SSL certificate on the Apache web server.
To move your certificate keypair from Apache to PFX perform the following:
Step 1: Finding your SSL Certificate, its Private key, and Intermediate CA file on Apache:
- Referencing the httpd.conf or ssl.conf file on the Apache system look for the location and directories of the three files necessary on the Apache system that has the installed SSL certificate.
- SSLCertificateFile /usr/local/ssl/crt/public.crt
SSLCertificateFile tells Apache how to find the the SSL certificate file. - SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCertificateKeyFile tells Apache how to find the private key file.
- SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt
SSLCertificateChainFile or SSLCACertificateFile tells Apache the location of the Intermediate file.
- SSLCertificateFile /usr/local/ssl/crt/public.crt
- Once you have found the location of these files you can either move them to a single location somewhere in your drive or leave them in their current location and specify their locations in the command line when converting.
- Convert the Apache certificate your sever certiifcate, its private key and chain intermediate files into a single PFX/PKCS#12 by performing the following OpenSSL command – change the file paths as appropriate if needed:
Note: In this example public.crt would be your SSL Server Certficiate, private.key would be your Private Key, intermediate.crt would be the intermediate ca chain file, and certificate.pfx would be your new converted pkcs12 ssl certificate file.openssl pkcs12 -export -in /path/to/public.crt -inkey /path/to/private.key -certfile /path/to/intermediate.crt -out certificate.pfx
Another Example:
opessl pkcs12 -export -out certificate.pfx -inkey private.key -in public.crt -certfile intermediate.crt
- The end result is that you will have a pfx file named certificate.pfx
Congrats you have converted your SSL certificate from Apache to a pfx/pkcs#12.
Note: That pfx files are used heavily in Microsoft environments. If you are having difficulties converting a Server Certificate from Apache to pfx or are having trust issues after conversion of the Apache environment to .pfx, you may want to consider generating the certificate keypair in the natural environment used by pfx files. Use a Microsoft IIS system > Generate the keypair /Generate CSR > perform a reissue or get a certificate from your CA > perform installation of server certificate > export certificate as pfx file from that IIS system.