Back up your SSL certificate: Apache (OpenSSL)

We recommended you backup your certificate and its corresponding private key in the event that there is a hardware failure or other disaster affecting your Server, the following instructions will show you how. These instructions will also help you export your certificate from one web server and import the certificate and its private key to another web server.

Export the Private Key and SSL Certificate from Apache as a PKCS12

The assumption is that you have TWO files: the PrivateKey and the Certificate. You would COMBINE both private key and certificate into a single file using the OpenSSL command:

openssl pkcs12 -in a.crt -inkey a.key -export -out a.pfx


  • a.crt = certificate
  • a.key = private key
  • a.pfx = resulting PFX file (containing BOTH the key and cert)

a.pfx is a single file that contains both your private key and certificate file.

Import the PKCS12 into Windows IIS

To import the PFX file into the IIS server:

Step 1 of 8

Click Start, then Run, then type mmc.

Step 2 of 8

In the MMC click File, then Add / Remove Snap In.

Step 3 of 8

Click Add in the dialog box that opens.

Step 4 of 8

On the Console, expand the Certificates container, then right click Personal.

Step 5 of 8

Select All Tasks, then Import.

Step 6 of 8

Point the File Browse at the PFX file and complete the wizard.

Step 7 of 8

In IIS, go to your site and select Properties, then Directory Security.

Step 8 of 8

Click Server Certificate and then Assign an Existing Certificate, select the correct certificate from the available certificates.

Exporting from Apache Server

Step 1 of 2

Locate the directory that your certificate and key file are currently stored (by default: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/).

Step 2 of 2

Copy the domainname.key and domainname.crt files to removable storage media, or to a network drive.

Importing to Apache Server

Step 1 of 3

Copy the domainname.key and domainname.crt to the Apache server directory in which you plan to store your certificates (by default: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/).

Step 2 of 3

Open the Apache httpd.conf file in a text editor. Locate the SSL associated with your certificate. Verify that you have the following 2 directives within this virtual host. Please add them if they are not present:

  • SSLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt
  • SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key

Please note: Some instances of Apache will store information in a httpd-ssl.conf file. If your httpd.conf contains no information then you will need to locate and amend the httpd-ssl.conf as above.

Step 3 of 3

Save the changes and exit the editor then start or Restart your Apache web server.

Importing a PFX into Apache with OpenSSL - Part One

Step 1 of 7

Move your PFX file into your OpenSSL/Bin directory.

Step 2 of 7

Open OpenSSL in the command line.

Step 3 of 7

Type in the following command to transform the your PFX file into a PEM file:

pkcs12 -in yourdomain.pfx -out yourdomain.pem

(The private key will be encrypted, you can remove this by using the following -nodes command as used below)

pkcs12 -nodes -in yourdomain.pfx -out yourdomain.pem

Step 4 of 7

Go to your OpenSSL/Bin directory and locate the yourdomain.pem file and open it in a text editor (Notepad).

Step 5 of 7

This PEM file contains your Private Key, your SSL certificate, your Intermediate certificate, your Cross certificate and your Root certificate in that order. Each of these certificates must be copied and pasted into their own file.

Step 6 of 7

Locate the Private Key, which includes and is defined by the text:


…. certificate contents ….


Copy the Private Key, open a new text editor, paste the Private Key into the text editor and Save as ‘yourdomain.key’.

Step 7 of 7

Locate the SSL certificate, which includes:


…. certificate contents ….


Copy the SSL certificate, open a new text editor, paste the SSL certificate into the text editor and Save as ‘yourdomain.crt’.

If you are a Domain SSL, Organisation SSL or Extended (EV) SSL certificate customer, copy the certificates from the box, open a new text editor in your OpenSSL/Bin directory and paste the certificates you have just copied into the text editor and Save as ‘certificates.cabundle’.

Part 2

Step 1 of 4

When you have made the changes detailed in PART 1, you will then need to assign the correct directives to your Config file. You may find these in your httpd.conf file or in the ssl.conf file.

Open your httpd.conf file and search for the section for the site for which the SSL certificate will secure (If you cannot locate the section in your httpd.conf file, open your httpd-ssl.conf file and search for the section).

Step 2 of 4

Your section will need to contain the following directives:

SSLCertificateChainFile – this will need to point to the certificates.cabundle, so after the directive name enter the path and file name and remove the &hash; from the beginning of the line.

SSLCertificateFile – this will need to point to yourdomain.crt so after the directive name enter the path and file name and remove the &hash; from the beginning of the line.

SSLCertificateKeyFile – this will need to point to yourdomain.key so after the directive name enter the path and file name and remove the &hash; from the beginning of the line.

Step 3 of 4

Save the changes and close the text editor.

Step 4 of 4

Restart Apache.