When you use Internet Information Services (IIS) 5.0, you may want to back up your server certificate(s). Windows 2000 makes this process easy using the new Certificates snap-in.
Create an MMC Snap-in for Managing Certificates
In order to perform the backup, you must first create a new MMC and add the Certificates snap-in. You can also add the snap-in to another MMC as long as it is opened in Author mode.
Use the following steps to create a new MMC and add the Certificates snap-in:
- Click Start , and then click Run.
- Type in "MMC.EXE" (without the quotation marks) and click OK.
- Click Console in the new MMC you created, and then click Add/Remove Snap-in.
- In the new window that appears, click Add.
- Highlight Certificates , and then click Add.
- Choose the Computer account option and click Next.
- Select Local Computer on the next screen, and then click OK.
- Click Close , and then click OK.
You have now added the Certificates snap-in, which will allow you to work with any certificates in your computer's certificate store. You may want to save this MMC for later use.
Export a Certificate and Public Key
Now that you have added the Certificates snap-in, you can export the key pair that your Web server is using (the certificate and public key). To do this, perform the following steps:
- Open the Certificates (Local Computer) snap-in you added in the last section, navigate to Personal, and then to Certificates.
- You will see your Web server certificate denoted by the CN (Common Name) found in the Subject field of the certificate (using Internet Explorer 5.0, you can easily view the certificate to see the Common Name if you are unsure).
- Right-click on the server certificate, select All Tasks, and then click Export.
- When the wizard starts, click Next. Choose to export the private key, and then click Next. NOTE: If you export the certificate for use on an IIS Web server, do not select Require Strong Encryption. This option causes a password prompt every time an application attempts to access the private key, and causes IIS to fail.
- The file format you will want to choose is the Personal Information Exchange (though you can select from several options). This will create a PFX file. Notice that you can export any certificates in the certification path by selecting the option on this screen. This is very handy if your certificate was issued by a non-trusted certificate authority (for example, Microsoft Certificate Server). Only choose delete the private key if the export is successful to be sure it is not left on the
computer (for example if your migrating from one server to another).NOTE: If you do not select "Include all certificates in the certificate path if possible" and the issuer of the certificate is not trusted by your server, then you may notice that when the properties of the certificate are viewed, the "This certificate is issued to:" field may display "Windows does not have enough information about this certificate". This is by design and can be resolved by selecting "Include all certificates in the certificate path" while exporting the certificate.
- Click Next, and then choose a password to protect the PFX file. You will need to enter the same password twice to ensure that the password is typed correctly. When you have completed this step, click Next.
- Choose the file name you want to save this as. Do not include an extension in your file name; the wizard will automatically add the PFX extension for you.
- Click Next, and then read the summary. Pay special attention to where the file is being saved to. If you are sure the information is correct, choose Finish.
You now have a PFX file containing you server certificate and its corresponding private key. Be sure to protect this file! You may want to move it to a floppy disk and store it somewhere safe from outside disturbance. Keep in mind, if you run a backup on the server, this file may be saved in that backup if it is still on the server.
For additional information about troubleshooting SSL certificates, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Troubleshooting "invalid password" error using SSL certificates
Invalid SSL certificates may be bypassed in Internet Explorer
Windows may not be able to handle SSL certificates that contain odd-sized keys
For additional information about SSL certificates, click the following article number to view the article in the Microsoft Knowledge Base:
Importing a key backup file to use in Internet Information Services 5.0
For additional information about importing backed-up certificates, click the following article number to view the article in the Microsoft Knowledge Base:
How to import a server certificate for use in Internet Information Services 5.0
Article ID: 232136 - Last Review: November 21, 2006 - Revision: 2.1
- Microsoft Internet Information Services 5.0
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.