2

As part of a large site migration, I need to copy over numerous (about 50) SSL certificates for different sites.

I have tried to export them on the current server and then import them on the new server, with no success. I can get everything to load and work correctly, but if I run SSLDiag on the new server, I get the error "#WARNING: You DON'T have a private key that corresponds to this certificate".

I can't find any way to import the key along with the certificate. Do I need to renew each certificate, and if so, is this something that would cost money?

Edit: these servers do not have the connectivity required to use the "copy or move cert" option in the SSL wizards.

Edit2: By renewing the cert, does it invalidate the one on the old server?

Zimmy-DUB-Zongy-Zong-DUBBY
  • 1,580
  • 3
  • 16
  • 30

2 Answers2

1

if I run SSLDiag on the new server, I get the error "#WARNING: You DON'T have a private key that corresponds to this certificate". [...] I can't find any way to import the key along with the certificate.

I do not know the specifics of IIS, but yes, you positively need both the (public) TSL (SSL) certificate and the (private) key. If the server does not have the private key, it cannot use the corresponding certificate; that's just how TLS works. There has to be a way to export both, you'll have to dig in the manuals :-).

Do I need to renew each certificate, and if so, is this something that would cost money?

No, certificate renewal has nothing to do with moving servers. You can just copy the pulic and private certs/keys. Of course, the TSL certificate is tied to a specific domain name, so if the domain name changes, you need a new cert (not just a renewal).

By renewing the cert, does it invalidate the one on the old server?

What do you mean by "invalidate"? A TLS certificate cannot be invalidated; it can only be revoked by the issuing authority. That is something they could do if you renew, but I've never heard of any issuer that actually does this. So you can continue using the old cert even after a renewal.

sleske
  • 10,009
  • 4
  • 34
  • 44
0

Just follow these instructions to export the certificate with the private key to a .pfx file and import it on the other server: http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html

If the option to export the private key isn't available, you'll need to find the original server where the certificate was created or just create a new CSR on the new server and reissue the certificate (or buy a new one).

Robert
  • 1,575
  • 7
  • 7
  • It is possible to export the private key even if the certificate is marked as non-exportable. – Dscoduc Jan 21 '10 at 07:02
  • You make a good point but the fundamental principle isn't really new - software crypto stores are not considered safe, there are a couple of techniques that can be used to get at the keys, after all with software only crypto the OS has to deliver the key to some process at some stage and so can an admin with a bit of work. Good hardware crypto never lets keys that are marked private leave the hardware crypto module. If I was doing this though I'd want to have the source code myself, I would not trust any such app unless I could inspect it in detail. – Helvick Feb 20 '10 at 10:50