Security is an important topic for anything hosted online, and SSL (Secure Sockets Layer) is key when you have information that needs to be transferred securely between a client browsers and a web server. In the Windows Cloud VPS hosting world, this means managing the SSL settings within Microsoft Internet Information Services (IIS) – the standard Microsoft web services that are included with Windows Server.
Everyone has heard the expression, when given lemons, make lemonade. In the IIS world, .crt and .key files are the equivalent of lemons since they can not be used in their current form to install an SSL certificate. This post will show you how to turn those files into lemonade or, more appropriately and useful, a pfx file.
As IIS Administrators we find ourselves from time to time (well, in all honesty, pretty much yearly) having to support the renewal and implementation of SSL certificates. In a perfect world, this would be a seamless process. We, the administrators, would create and provide the certificate signing request (CSR) to the responsible purchasing party. The certificate would be purchased and we would be provided the certificate response file from the Certificate Authority (CA) for completing the certificate request and installing the certificate.
This is not the way that things always happen. Sometimes we are provided text blobs of the certificate that look like this:
—–BEGIN PRIVATE KEY—–
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+MWFUhHn7RnDA
TBDa/YEtz7yJSaQHJu0OvcfkLe67Dk3XmJlvlIR1ZSAi3VHEe0tZCbGLUH+QpMfZ
/+CZ/jOqy/T2br0N1+Nz8pXTK2pyWCoWyEuTA1F/KimtJyuBglCXctrxWR4U/Bvg=
—–END PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
MIIFODCCBCCgAwIBAgIQAv9+bZ/eqYYHETW+Sh9SHzANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQG
EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYD
Wtw75qW8mqQXZfa+e7gaVwaQ70uuEuXXmxG6I00=
—–END CERTIFICATE—–
Disclaimer: These are not actual certificate or key blobs but are provided as examples only
Or we may even be provided with the actual files which are noted by the extension .crt and .key. Neither of these can simply be completed within IIS and installed. There is a way to use these files to create a personal information exchange file (.pfx) which can then be imported into IIS. This walkthrough will provide the information necessary to combine the .crt and .key files into a usable .pfx file for IIS.
To complete this process, you will need to use OpenSSL. There are multiple places that you can download OpenSSL for a windows server. I personally use cygwin for all of my open source utilities. You can install utilities such as grep, curl, tail, and of course, OpenSSL within this utility for use on any Windows cloud server.
Cygwin creates a home directory structure in the installation path. For ease of use, we will copy the .crt and .key files into the users home directory on the file system. On my system, this path is C:\apps\cygwin64\home\Terri. After running Cygwin64 Terminal, we are able to list the directory to see the 2 files that we will be working with.
The command to be run is (replacing domain.name with your filenames):
1: openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
When you run the command, you will be prompted to enter an export password. This secures the file since the private key is now part of the pfx file. Once you have entered the export password twice, the pfx file is created as you can see when you list the directory again.
This .pfx file can now be imported into IIS for use with the appropriate website.
Comments