Frequently asked questions

How do I generate a CSR in IIS when I already have a certificate on my website?
To do this, first you must understand that IIS stores all the certificates for all of your websites in one central location, and 'removing' them from a website does not delete the certificate but simply un-assigns it from that site. Thus, we can create a blank 'dummy' website and request and install the certificate there, then re-assign this new certificate to your current running website.

  • Open the IIS control panel, and create a new, empty website. There does not need to be any content on this site, nor does it need to be live or active.
  • Generate a CSR on this website - instructions are available on the Support section of this site.
  • Submit the CSR to us normally.
  • Once you receive the certificate, install it as per the instructions onto this 'blank' website.
  • Right-click on your main website (the one you actually required the certificate for). Choose 'Properties', and click the 'Directory Security' tab. Click the 'Server Certificate' button.
  • One of the options will be 'Assign an existing certificate'. Choose this, and you will be presented with a list of certificates - including the newly-installed one. Select this, and complete the wizard.
  • Your site will seamlessly change over to use the new certificate.
  • The 'blank' website can now be removed.
How do I export a certificate from Microsoft IIS?
  • Click 'Start', choose 'Run'. Type 'mmc', press 'OK'.
  • In the MMC console, click the 'File' menu, and choose 'Add/Remove Snap-In'.
  • Click the 'Add' button, then select 'Certificates' from the list and click 'Add'.
  • From the next menu, select 'Computer account'. Click 'Next', select 'Local computer' then click 'Finish'. Click 'Close' then 'OK'. You will be back at the main MMC console.
  • Expand the tree 'Certificates (Local Computer)' and click the 'Personal' sub-folder.
  • Locate the certificate you wish to export. Right-click the certificate, choose 'All Tasks' > 'Export'. A wizard will begin.
  • Click 'Next'. Choose 'Yes, export the private key'. Click 'Next'. Note: if this option is unavailable, the key cannot be exported. You will need to generate a new request and install a new certificate before it can be exported.
  • Select 'Personal Information Exchange - PKCS #12 (.PFX)'. Make sure the only checked box is 'Include all certificates in the certification path if possible'. Click 'Next'.
  • Enter a password twice. This is the password to protect the file and is needed to import the certificate later. Click 'Next'.
  • Choose a location and filename for the exported file. Click 'Next'.
  • Click 'Finish'. The wizard will complete and export the certificate and key to the location specified.
How do I move a certificate (and key) from IIS to Apache?
Firstly, you'll need to export the certificate and key from IIS, following the directions in this FAQ above. Secondly, you'll need to copy the PFX file to the Apache server. You will need the open-source OpenSSL tool installed (commonly by default on *nix platforms, and available freely for Windows). In the same directory as the PFX file you copied, use the following command, replacing the filename of your PFX file where needed:

  •      openssl pkcs12 -in -out pfxoutput.txt -nodes


Now you will have a single text file(named 'pfxoutput.txt) containing the private key and certificates. Open it and copy from the '-----BEGIN RSA PRIVATE KEY-----' line to the '-----END RSA PRIVATE KEY-----' line into another file - mykey.key. The rest of the file can be copied into mycert.crt. The two files can then be used in Apache.
How do I move a certificate (and key) from Apache to IIS?
Make sure the Apache server has the open-source OpenSSL tool available.

  • Execute the following OpenSSL command, substituting the locations of your files as needed:
  •      openssl pkcs12 -in -out pfxoutput.txt -nodes
  • Follow the instructions below for 'How do I restore a certificate (in PFX format) to IIS?' to import the .PFX file into IIS.
How do I backup a certificate from IIS?
Simply follow the instructions above for 'How do I export a certificate from Microsoft IIS?'. This will create a .PFX file. This is the backup of the certificate and private key and should be kept safe and restored as needed.
How do I restore a certificate (in PFX format) to IIS?
  • Copy the PFX file onto the server you wish to restore the certificate to.
  • Open an MMC instance (Start > Run > type 'mmc', press Enter).
  • In the MMC, go to File > Add/Remove Snap-In. In the dialog that shows, choose the 'Certificates' snap-in. OK all the dialogs. Be sure to add the snap-in for the 'local computer' and for the 'Computer' account - not the 'Current User' account!.
  • In the left hand pane, expand the folder called 'Personal' and right-click on the sub-folder called 'Certificates'. From the menu, choose All Tasks > Import.
  • The Certificate Import wizard will begin. Leave options at default, and when requested, choose the PFX file. The wizard will complete successfully and the certificate and key are imported from the PFX file.
  • Close the MMC. Open the IIS manager program.

    • For IIS 7.x and above:
    • Select the site you wish to move the certificate to.
    • On the right-hand side under 'Edit Site' click 'Bindings'. Locate the 'https' binding and click 'Edit'.
    • In the 'SSL Certificate' drop-down menu, choose the newly-imported certificate.
    • Confirm or close all the dialogs and the new certificate will be in place. IIS may need to be restarted for it to take effect.

      For IIS 6.x and below:
    • Right-click the site you wish to move the certificate to and select 'Properties'.
    • Click the 'Directory Security' tab. Click the 'Server Certificate' button
    • From the wizard that begins, choose 'Assign an existing certificate'. Select the newly-imported certificate and complete the wizard.
    • Confirm or close all the dialogs and the new certificate will be in place. IIS may need to be restarted for it to take effect.