Skip to content

Website certificate import and Email certificate import

1. Exporting Windows certificate

Move or copy an SSL certificate from a Windows server to an Nginx server.

If you have multiple servers that need to use the same SSL certificate, such as in a load-balancer environment or using a wildcard or UC SSL certificates, you can export the certificate from the Windows certificate store to .pfx file and then convert the file to individual certificate and private key files and use it on an Nginx server. This may also be necessary when you switch hosting companies. We will be going over the exact process with step-by-step instructions in this article. If necessary, you can copy the SSL certificate from an Nginx server to a Windows server instead.

We will assume that you have already successfully installed the SSL certificate on the Windows web server. You will follow these steps to move or copy that working certificate to the Nginx server:

  • Export the SSL certificate from the Windows server with the private key and any intermediate certificates into a .pfx file.

  • Convert the .pfx file to individual certificates and private keys.

  • Import the SSL certificates and private key on the new server.

  • Configure your Nginx web sites to use the certificate.

The following screenshots are from a Windows Server 2008 machine but the instructions will also work for older (Windows Server 2003) and newer versions (Windows Server 2016).

Export the certificate from the Windows MMC console

Note: These instructions will have you export the certificate using the MMC console. If you have Windows Server 2008 or higher (IIS7 or higher) you can also import and export certificates directly in the Server Certificates section in IIS.

A.Click on the Start menu and open Run window. Type in mmc and click OK.

Alt text

B.Click on the File menu and click Add/Remove Snap-in...

Alt text

C.If you are using Windows Server 2003, click on the Add button. Double-click on Certificates.

Alt text

D.Click on Computer Account and click Next.

Alt text

E.Leave Local Computer selected and click Finish.

Alt text

F.If you are using Windows Server 2003, click the Close button. Click OK.

Alt text

G.Click the plus sign next to Certificates in the left pane.

Alt text

H.Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export...

Alt text

I.In the Certificate Export Wizard click Next.

Alt text

J.Choose Yes, export the private key and click Next.

Alt text

K.Click the checkbox next to Include all certificates in the certification path if possible and click Next.

Alt text

L.Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.

Alt text

M.Click Browse and find a location to save the .pfx file to. Type in a name such as mydomain.pfx and then click Next.

Alt text

N.Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.

Alt text

2. Convert Windows certificate to Linux certificate

Convert the .pfx file using OpenSSL

After you have exported the certificate from the Windows server you will need to extract all the individual certificates and private key from the .pfx file using OpenSSL (instead of using OpenSSL, you can use the SSL Converter to convert the .pfx file to a .pem file and then follow step 3).

1.Copy the .pfx file to the server or another computer that has OpenSSL installed.

2.Run this OpenSSL command to create a text file with the contents of the .pfx file:

openssl pkcs12 -in mydomain.pfx -out mydomain.txt -nodes

3.Open the mydomain.txt file that the command created in a text editor. Copy each certificate/private key to its own text file including the bash"-----BEGIN RSA PRIVATE KEY-----" and bash"-----BEGIN CERTIFICATE-----" headers. Save them with names such as mydomain.key, mydomain.crt, intermediateCA.crt, etc.

3.Assign SSL certificate to Linux webserver

Assigning the SSL certificate to a website

After you have converted the .pfx file, you will need to copy the newly created files to the Nginx server and edit your Nginx configuration file to use them. Just follow our Nginx SSL Installation instructions to do this.

Nginx SSL Installation instructions:

A.Edit the nginx configuration file using the following command:

nano /etc/nginx/sites-enabled/custom

A sample of the file is :

server {
    listen               443;
    ssl                  on;
    ** ssl_certificate      /etc/ssl/certs/myssl.crt; **
    ** ssl_certificate_key  /etc/ssl/private/myssl.key; **
        root /var/opt/cyberquest/reports/app/webroot;
        index index.php index.html index.htm;
location / {
        try_files $uri $uri/ /index.php?$args;

B.In order to include the recently exported certificate replace the path of the default certificate and key:

   ** ssl_certificate      /etc/ssl/certs/ mydomain.crt; **
   ** ssl_certificate_key  /etc/ssl/private/ mydomain.key; **

Alt text

C.Save the configuration file.

Alt text

D.Restart Nginx service using the following command:

systemctl restart nginx.service

While there are several steps in the process, moving an SSL certificate from one Windows server to an Nginx server is quite simple. It involves exporting a working SSL certificate from the MMC console to a .pfx file which contains the certificates and private key and then converting that file to separate files. You can then copy the files to the Nginx server and install the certificate like normal. If you need to move your SSL certificate to or from a different type of server, select the server type on our main SSL Certificate Import/Export Page.

4. Assign SSL certificate to Linux mail server

4.1. Import a certificate from a pfx file e.g. exported from a Windows server

root@me:~# openssl pkcs12 -in ExportWithPrivate.pfx -clcerts -nokeys -out mydomain.crt

IMPORTANT - These files are to be kept SECRET.

root@me:~# openssl pkcs12 -in ExportWithPrivate.pfx -out servername.pem
root@me:~# openssl rsa -in servername.pem -out exim.key

Now concatenate the certificates:

root@me:~# cat mydomain.crt /etc/ssl/certs/ca-certificates.crt > exim.crt

Copy the files exim.key and exim.crt to the following path: /etc/exim

IMPORTANT: Backup the files to a secure location and delete the remaining files.

4.2. Update Exim configuration files

For split-file configuration (debian only), edit the file: /etc/exim4/conf.d/main/03_exim4-config_tlsoptions and uncomment the following lines:

 #log_selector = +tls_cipher +tls_peerdn
 #tls_advertise_hosts = *
 #tls_certificate = CONFDIR/exim.crt
 #tls_privatekey = CONFDIR/exim.key 

Then, activate the exim4 changes by:


Change the file security so that only exim can read them (if you are running as exim):

root@myserver:~# chmod 600 exim.*
root@myserver:~# chown exim exim.*

In either case you need to restart exim:

systemctl restart exim4.service