Making MS-Windows2000's IIS Certificate Manager Recognise an OpenSSL-Generated Certificate


From: "Nick Murtagh" <nickm@go2.ie>
To: Irish LUG list <ilug@linux.ie> Subject: Re: [ILUG] ssl certs
Date: Wed Dec 17 11:26:46 GMT 2003

Colm Buckley wrote:

> I was never able to successfully import OpenSSL-generated keypairs into
> W2k's cert manager. I always had to make the request using Windows,
> then sign it using OpenSSL.

I've just tested the following and it Works For Me(TM) :)

openssl pkcs12 -export -in server.crt -inkey server.key.unsecure -out server.pfx -name "My Lovely Cert"

server.crt is the signed cert from the CA.

server.key.unsecure is the *unencrypted* private key.

You will be asked for a password, set this if you want.

In Windows, fire up "mmc", add the certificates thingy, set it to manage the local computer. Go to personal certificates folder, import server.pfx, enter password if you gave it one earlier.

In IIS, get it to let you choose from currently installed certs. You should now be able to choose the one you just installed.

At this point, everything should be working, at least as well as IIS ever works.