Let’s say you install an ssl certificate on a Windows server and later need to move it elsewhere. Maybe you simply need to move the site to a new server, or it could be that it’s a wildcard certificate which will be used on many systems. At any rate, getting the certificate itself is simple, but it won’t work elsewhere without the private key. Getting that requires first exporting, and then manipulating it so you have separate files for the certificate and key.

Here is the process using the openssl toolkit at the command line.

1. Export the certificate from the Windows server in pkcs12 format. You’ll need to remember the import password you use when prompted during this process. You’ll end up with a .pfx file containing both the certificate and private key.

2. Extract the private key from the exported pfx file.

openssl pkcs12 -in <exported-file.pfx> -nocerts -out privatekey.pem

You’ll be prompted to supply the passwords. The password is what you used during the certificate export in step 1. The passphrase is what was used when the original certificate request was made.

Enter Import password:
<some password>

Enter PEM Passphrase:
<some password>

3. Extract the certificate from the .pfx file

openssl pkcs12 -in <exported-file.pfx> -clcerts -nokeys -out certificate.cer

Doing all this in the first place implies that this material needs to get put on non-Windows systems. If you plan on using this with apache and need httpd to start automatically, you don’t want to be prompted to type in the passphrase.

4. Remove the passphrase from the private key.

openssl rsa -in privatekeyfile-with-passphrase.key -out privatekeyfile.key

That’s it except for copying the files and installing them on the other systems.