2 min read
1. Converting to .CRT to.PFX file format with OpenSSL tool on GNU / Linux to import in Windows (for example, IIS)
Assuming you have generated already a certificate using the openssl Linux command and you have issued the .CRT SSL Certificate issuer file
and you need to have the new .CRT SSL Certificate installed on Windows Server (lets say on Windows 2012) with IIS Webserver version 8.5, you will need a way to convert the .CRT file to .PFX, there is plenty of ways to do that including using online Web Site SSL Certificate converter or use a stand alone program on the Windows server or even use a simple perl / python / ruby script to do the conversion but anyways the best approach will be to convert the new .CRT file to IIS supported binary Certificate format .PFX on the same (Linux certificate issuer host where you have first generated the certificate issuer request .KEY (private key file used with third party certificate issuer such as Godaddy or Hostgator to receive the .CRT / PEM file).
Here is how to generate the .PFX file based on the .CRT file for an Internal SSL Certfiicate:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx
On the password prompt to appear use any password because otherwise the future IIS Webserver certificate import will not work.
To do a certificate chain SSL export to be accessed from the internet.
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx -certfile internet v2.crt
2. Import the PFX file in Windows
Run: mmc, add snap, Certificates, Computer account, Local Computer; in the
Certificates (Local Computer) > Personal > Certificates: Select All Tasks > Import File
Enter previously chosen password.
You should get further the Message "Import was successful."
You can import the PFX file by simply copying it to the server where you want it imported and double click it this will open Windows Importwizzard.
Then select the IIS:
Site, Properties, Directory Security, Server Certificate, Replace the current certficate, select proper Certificate. Done.
Alternatively to complete the IIS Webserver certificate import within one step when a new certificate is to be imported:
In IIS Manager interface go to :
Site, Properties, Directory Security, Server Certificate, Server Certificate Wizard
import a certificate from a .pfx file, select and enter password.
3. Import the PFX file into a Java keystore
Another thing you might need if you have the IIS Webserver using a backend Java Virtual Machine on the same or a different Windows server is to import the newly generated .PFX file within the Java VM keystore.
To import with keytool command for Java 1.6 type:
keytool -importkeystore -deststorepass your_pass_here -destkeypass changeit -destkeystore keystore.jks -srckeystore server.pfx -srcstoretype PKCS12 -srcstorepass 1234 -srcalias 1 -destalias xyz
Also the .CRT file could be directly imported into the Java keystore
Import a .crt in a Java keystore
/usr/java/jre/bin/keytool -import -keystore /webdienste/java/jdk/jre/lib/security/cacerts -file certificate.crt -alias Some alias
4. Get a list of Windows locally installed certificates
To manager installed certificates on Windows 7 / 8 / 2012 Server OS is to run command via
Start -> Run
One other way to see the installed certificates on your Windows server is checking within
Go to Tools (Alt+X) → Internet Options → Content → Certificates.
To get a a complete list of installed Certificate Chain on Windows you can use PowerShell
Get-ChildItem -Recurse Cert:
That's all folks ! 🙂