33

I want to install the '.crt' certificate I received from a certificate provider to my IIS 7.5 server. I have tried many times to install the .crt file by clicking on the 'certificates', and it states that it is installed correctly. So I open IIS, select "my server", open "server certificate" which is available on the menu on the right side, click "complete certificate request", select the .crt certificate on my computer and click ok. However, when I refresh IIS the certificate disappears automatically.

Our hosting provider mentions that I need to use a '.pfx' file which I do not have.

Peter Pan
  • 23,476
  • 4
  • 25
  • 43
mayur Rathod
  • 1,184
  • 1
  • 11
  • 26

3 Answers3

54

I have solved this issue by converting this .crt file into a .pfx file using following method.

To convert .crt to .pfx, we need CSA certificate (Private Key) provided by hosting provider. Below are the steps to convert this:

  • Download and install OpenSSL software from below link based on your system type https://slproweb.com/products/Win32OpenSSL.html

  • Run the following command on command prompt:
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

    OR

    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.txt -in certificate.crt -certfile CACert.crt

Here:

Certificate.crt = Your-domain-Name.crt
CACert.crt = NetworkSolutions_CA.crt
certificate.pfx is the new name of generated file.
PrivateKey can be in .key or .txt format

After completing this process now we have certificate.pfx file so go to IIS Server certificates in IIS Manager.

There is an import link button on right side, click on this and select the converted certificate and enter password which is enter at the time of creation of the .pfx file and complete the process.

Now select your site on IIS and right click on this, select "Edit Binding" and on the new popup window select type as https:// and "Hosting name" is your domain name and all other field is as it is, click on ok to complete this process.

Now restart IIS and your certificate is working fine with your site.

mayur Rathod
  • 1,184
  • 1
  • 11
  • 26
  • while the links are no longer resolving, searching for OpenSLL portable should send you the right way - or visit the wiki: https://wiki.openssl.org/index.php/Binaries and grab the binaries without dependencies. I had to do this to generate .pfx files for Azure Service Apps (if anyone else ran into this). – Jonathan M. Aug 17 '19 at 18:12
  • 1
    I'd like to add that when using `openssl pkcs12`, using the `name` option (as in `openssl pkcs12 -export -name "My cert" [otherparams]` is very useful. That way your custom name will show up in the "name" column in the certificate list in IIS Manager. – Ismael Padilla Feb 07 '20 at 12:25
  • Azure will not accept a certificate unless it is encrypted with DES resulting in the error message "The password is incorrect, or the certificate is not valid." By default, the latest version of OpenSSL now defaults to AES-256-CBC encryption. Adding the parameters ```-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES``` will correct this problem. You may also want include your CA's intermediate certificates with the ```-certfile``` parameter (i.e. ```-certfile DigiCertCA.crt```) – Terence Golla May 27 '22 at 03:17
  • +1; although somewhat ironic that the command line openssl tool is not signed. Nonetheless, this answer worked for me. :) – Ji Wei Dec 23 '22 at 23:31
  • After I used this command IIS did not accept the imported pfx file for the site. It gave error when selectin certificate in the binding: "Logon session denied...". I removed `-certfile` attribute and re run command, then it was successfully. – Farid Imranov Aug 16 '23 at 07:47
2

Small update to the super-useful answer above:

The OpenSSL versions have been updated, so the links no longer work. Here's the full download page from which to download any version: https://slproweb.com/products/Win32OpenSSL.html

I used Win64OpenSSL_Light-1_1_0j.exe for my Windows 10 IIS installation. Worked perfectly.

Installed into default location C:\OpenSSL-Win64\

For sslforfree.com's cert files, here's the command line for your convenience run from the folder containing the three files they provided by sslforfree.com:

C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt

Karlossus
  • 83
  • 7
0

You don't need OpenSSL on a Windows machine, you can also use the built-in certutil

Make sure the .crt and key file have the same name and the key file has extension .key (rename them if necessary). Then open a command prompt, go to the folder where the .crt and .key files reside and type the following:

certutil -mergepfx MySite.cert MySite.pfx

(assuming the original name of the .crt file was MySite.cert)

This generates a .pfx file that you can then install on the server.

(Make sure you make a note of the password you are asked to set in the process, as you will need this again when you install the pfx certificate later)

wecky
  • 754
  • 9
  • 17