Exporting SSL certificates from cPanel/Apache

I was quite surprised today to find that there is no built in facility to export a SSL certificate through WHM/cPanel. We needed to move the certificate to our Windows network from our Linux box and it wasn’t as straightforward as you may think.

Still after a bot of googling we came up with the following steps to create a pfx file which is simple to import into IIS on Windows:

Step 1 – Get the key/crt files
You can grab these two files by going to cPanel > Manage SSL hosts. Just select the domain you are exporting and cPanel will then display the key and certificate (crt) files

Step 2 – Create the files through SSH
Now this part may be un-required but I couldn’t locate the path to the files so I simply logged into SSH as root and entered the following:

[root@host ~]#nano domain.key

Save and exit (CTRL+X confirm save)

Now you need to repeat this for the certificate file as well.

Step 3 – Create the PFX file for export
OK now you have your crt and key files you need to create a pfx file for the export. For this we just use OpenSSL with the command:

[root@host ~]#openssl pkcs12 -export -out /home/pathtodomain/yourdomain.pfx -inkey yourdomain.key -in yourdomain.crt

You will be asked to set a password and also confirm that password. This will create the pfx file in the domain root.

You can download the generated pfx file and import into IIS.

2 thoughts on “Exporting SSL certificates from cPanel/Apache

  1. If you need to go the other way around – importing .pfx and setup using WHM/Cpanel, I couldn’t find much help, so hope this helps someone:

    If you’re trying to setup a GoDaddy SSL from a .pfx file in Cpanel or WHM, here are a couple tips:

    * first remove any files in the ssl/certs/ and ssl/private/ directories for the account (i.e. home/yoursite/ssl/)

    * if you have access to WHM, use the “Manage SSL Hosts” to double check for entries – delete any for the domain in question

    * then check the “SSL Key/Crt Manager” – delete anything related to the domain you’re setting up SSL for

    * if you followed the instructions above, you’ll have the certs.pem and the now decrypted key.pem, but for GoDaddy you need the CA:
    * openssl pkcs12 -in filename.pfx -cacerts -nokeys -out cabundle.pem

    * the text in those three .pem files (certs, key, cabundle) is all you need to copy into your SSL install page – crt, key, ca bundle

    * for WHM it’s the “Install a SSL Certificate and Setup the Domain” tool

    …maybe this is the long way around, but wanted to make sure I used the WHM/Cpanel tools since I don’t know everything it’s doing under the hood.

Leave a Reply