Categories: LinuxSSLWindows

Export SSL certificates from Windows to Linux

Export SSL Certificate from a Windows environment to Linux

Have you ever generated your SSL CSR (certificate signing request) request on a Windows box and needed to install it on Linux afterwards?

To convert certificates from Linux to Windows click here.

First, you have to get the certificate and private key out of Windows,preferably in a PFX (PKCS #12) format.

  1. Click Start, Run, then type “mmc” and hit enter.
  2. In the leftmost menu, choose “Add/Remove Snap In”.
  3. Click “Add”, then click “Certificates”, then OK.
  4. When the wizard starts, choose “Computer Account”, “Local Computer” and finish out the wizard.
  5. Once you’re finished, get back to the MMC and expand the “Certificates” node, then the “Personal” node.
  6. Click on the “Certificates” node under “Personal” and find your certificate in the right pane.
  7. Right click on the certificate and choose “All Tasks”, then “Export”.
  8. When the wizard starts, choose “Yes” for exporting the private key, then select ONLY “Strong Private Key Protection” from the PFX section. You will also need to set a password and specify a location for the PFX file.
  9. Once the PFX file has been saved, close out the MMC (don’t save the snap-in if it asks).
  10. Get the PFX over to the Linux server somehow.


DID YOU KNOW?: “pem”, “cer”, and “crt” are all the same certificate formats called x509. The only difference is cosmetic via different extensions. A full certificate chain = public certificate + intermediate certificate + root certificate contained in a single file.

Once the PFX makes it over to the Linux server, you have to decrypt the PFX into a plaintext PEM file (PFX’s are binary files, and can’t be viewed in a text editor):

openssl pkcs12 -in certificate.pfx -out temp.pem

You will be asked for the password for the PFX (which is the one you set in the Windows wizard). Once you enter that, you will be asked for a new password. This new password is used to encrypt the private key. You cannot proceed until you enter a password that is 4 characters or longer. REMEMBER this password!

When this step is complete, you should have a PEM file that you can read in a text editor. Open the file in a text editor and copy the private key and certificate to different files (private.key certificate.crt respectively). Remember to keep the dashed lines intact when you copy the certificates – this is important. There is some additional text above the key, and also between the key and certificate – this text should be ignored and should not be included in the certificate and key files.

Now that you have the key and certificate separated, you need to decrypt the private key (or face the wrath of webserver software every time you start it). You can decrypt the private key like this:

openssl rsa -in private.key -out private.key

Provide the same file name twice and it will decrypt the key onto itself, keeping everything in one file. OpenSSL will ask for a password to decrypt the key, and this is the password you set when you decrypted the PFX. If you forgot the password, you will need to start over from when you brought it over from the Windows machine.

After this process, you should have four files, a PFX, PEM, KEY, and CRT. Store away the PFX and PEM, and you will use the key and certificate files to install into Apache or whatever software you’re configuring to use SSL.


SSLEngine On
SSLCertificateFile /path/to/your/certificate.crt
SSLCertificateKeyFile /path/to/your/private.key


ssl on;
ssl_certificate_key /path/to/private.key;
ssl_certificate /path/to/certificate.crt;
Disqus Comments Loading...

Recent Posts

Bittorrent IP Blocklists

In addition to using a VPN service, as an extra precaution I've been using the blocklist feature of my bittorrent… Read More

October 26, 2019 3:31 pm

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

June 7, 2019 3:44 pm

Change Grub Default Boot Entry on Linux Mint

I'm dual booting Windows and Linux Mint on my laptop. The grub default is to boot into Linux Mint, however… Read More

April 23, 2019 7:45 pm

How to Reset Secure Channel On Active Directory Domain Controller

When you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More

April 21, 2019 8:14 am

Run Systemd Script Before System Shutdown

I tried to retain the NGINX FastCGI cache and have it persist across system reboots instead of being ephemeral by… Read More

April 20, 2019 10:14 am

Learn Systemctl Usage to Manage Systemd Service in Linux

Systemd is new service manager for Linux. It's a replacement for all previous init systems (SysV/SysVinit & Ubuntu's Upstart) and… Read More

April 20, 2019 7:55 am