Certificates are an important part of a modern environment. They make communication safer by encrypting the traffic between the client and server. A safe way to move certificates between servers or store them safely is by exporting the certificate (private and public key) to an encrypted format. A commonly used format is “pfx” (Personal Information Exchange also known as PKCS#12). A pfx file can contain one or more certificates and is encrypted with a password. Without the correct password the pfx is useless. You commonly see that a pfx contains a (web) server certificate and one or more intermediate certificate(s) and a root certificate.
A Windows machine has two certificate stores
- Machine store
Can be accessed by opening “certlm.msc” - User store
Can be accessed by opening “certmgr.msc”
For this example we are opening the machine store, there my private and public key is located.
Click on the start menu or press windows key + r and run “certlm.msc”
Next, open the folders “Personal” and “Certificates”.
NOTE: Make sure the certificates has a matching private key! You can easily verify it by looking at the icon in front of the certificate. If a key symbol is visible at the left upper corner of the certificate a matching private key is present.
Select the certificate you want to export.
In the “Welcome to the Certificate Export Wizard” window, click “Next“.
Make sure “Yes, export the private key” is selected before you click “Next”.
NOTE: It might be that you cannot select this option and that it is greyed out. This means that the private key cannot be exported. When the certificate was created or imported the option to export the private key must have been selected. Without that option you cannot export the certificate and continue this procedure.
By default the options “include all certificates in the certification path if possible” (this includes the intermediate certificates and root certificate if present) and “enable certificate privacy” (If enabled all certificates are encrypted if disabled only the private key is encrypted) are selected. You can leave them on if you want to move these from one Windows server to another. But if you want to use the exported pfx file on a NetScaler I like to disable these options. And additionally I select the option “Export all extended properties“.
Make sure you select the checkmark before “Password” and enter a secure password before clicking on “Next“.
Enter a path and name where you want to store the pfx-file. I like to use the “Common Name” as name for the certificate and append the date (formatted as “_MMYYYY“) or year (formatted as “_YYYY“) at the end. This way I easily can see when the certificates are expired and cleanup those files.
Click “Finish” on the final wizard page to finalize the export.
When all goes well you are presented with a “The export was successful” dialog box.
You can now safely transfer or store your certificate!