How to install certificate on new server while old server is active using domain name?


#1

Please fill out the fields below so we can help you better.

My domain is: see below

I ran this command: n/a

It produced this output: n/a

My operating system is (include version): Win Server 2012 R2

My web server is (include version): IIS 8.5

My hosting provider, if applicable, is: see below

I can login to a root shell on my machine (yes or no, or I don’t know): yes and no, see below

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

We are moving off of an ISP onto our own server and I want it to be SSL. I will have a TEST box and PROD, but the TEST box may or may not be open to the public (haven’t decided yet, since testing can occur if the firewall just allows our organication access to it.) Right now the domain name is pointing to a non-SSL hosted website. I have admin and remote access to the new boxes, but only FTP access to our web directory on the existing site.

DNS is working on the new boxes. The firewalls are all configured. BUT the domain name will not be transferred until we are actually moving it into production and having the old site decommissioned. Now you see the problem: how do I get a certificate all set up and tested on my new boxes prior to having the domain name transferred to them?

Thanks for all constructive comments! (If the answer is in the docs then RTFM is fine as well.)


#2

3 options spring to mind.

  1. you could use the DNS challenge (that way you don’t need to upload anything to your site). certbot doesn’t support the DNS challenge currently but certainly the bash and go alternate clients do.

  2. You could upload the tokens to your site via FTP to verify ownership of the domain, and obtain a certificate. Again this is easiest with one of the alternate clients I think.

  3. since you currently using http only, just transfer the site over as http only, then create the cert once on the new server.


#3

I used ZeroSSL web-based service to create a test certificate via LE and it generated two text files (with a .txt extension) and now Google is unable to help me figure out the next step of converting these files into a format that IIS 8.5 understands for import (.cer or .p7b files)–perhaps another breadcrumb for me to follow anyone? Thanks!

UPDATE: I used the following website: https://www.sslshopper.com/ssl-converter.html and had it convert the certificate text file from the .PEM it apparently is to a .PFX that Windows wants. If that website had named the file extension properly it would alleviate some confusion IMO. Resulting cert installed without a problem!


#4

@mushu The files downloadable in ZeroSSL online client are deliberately given txt extensions. Otherwise browsers might actually launch a certificate import application under Windows, or start giving the messages like Chrome gives whenever any certificate file is being downloaded - that it might harm your computer (likely meaning something as trivial as importing some certificate by accident into registry).

However, despite the fact that PFX is quite rarely required, I think there might be some clarification added into “Learn more” section regarding this indeed.

P.S. There is a chance of having PFX produced directly on ZeroSSL at some point.


#5

hi leader

PFX is common for windows IIS environments and windows systems


#6

@ahaw021 Yes, I know that :slight_smile: IIS is also surprisingly close to Apache according to Netcraft survey.

My “rarely required” remark is more a reflection of the fact that no one actually asked for it to be implemented so far on ZeroSSL, combined with the personal experience throughout the years, where in 99.5% cases infrastructure would be based on Linux/FreeBSD, rather than Windows (at least for the use cases involving Internet-facing web servers or services).


#7

PFX can be a bit dangerous because of course it has the private key inside it (thus, you must be very careful with it) but also the certificate (which is an entirely public document in our case, and always low security risk).

Users can get confused and email you a PFX when asked to see a copy of their certificate for any reason, and then you have to break it to them that they’ve destroyed the security of their system and need to start over, whoops. So I’m not a big fan, but it would make life easier for Windows users.


#8

hi tialaramex

I always insist that people password protect their PFX files.

Microsoft also allows you to prevent export of the private key once installed adding a layer of security.


#9

So…umm…you’re saying that I should not use this website to create my PFX version because they now have my private key? Good thing it was for a throw-away test cert. https://www.sslshopper.com/ssl-converter.html


#10

Yes. When you picked PFX as the output type, you should have seen a warning triangle added which read:

Your private key is intended to remain on the server. While we try to make this process as secure as possible by using SSL to encrypt the key when it is sent to the server, for complete security, we recommend that you manually convert the certificate on your server using the OpenSSL commands below.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.