Extracting Private Key and Certificate from IIS certificate export

Some of our clients are using Survey Gizmo in order to gather surveys from their clients. Survey Gizmo is able to serve surveys using your domain name (of course – you should use a subdomain, not the main name). In order to do this securely, it needs the SSL certificate.

In the Survey Gizmo configuration, we are providing the certificate information as the text. It requires a Private Key and Certificate. If you have these already generated in Linux, in the form that is used by Apache, you can view the files and see the certificate and key as a text.

On the other hand, if you have your certificate information exported from IIS, you have to convert it to two separate files and remove the encryption of the private key.

OpenSSL to help

Once you have the IIS certificate export file, you will need to install OpenSSL. On most Linux based machines, it is already available. On Windows, you should install it.

Once installed, you can start with Certificate extraction. IIS requires a password when exporting certificates, so you will also need to know this password. in order to extract the certificate, use this command:

openssl pkcs12 -in [IIS-export-file.pfx] -clcerts -nokeys -out [certificate-optput-file.crt]

When using OpenSSL v3 you should use legacy parameter:

openssl pkcs12 -in [IIS-export-file.pfx] -clcerts -nokeys -out [certificate-optput-file.crt] -legacy

You will have to provide the password used during the certificate export from IIS. The certificate output file is not encrypted, so you can now open it with any text editor and copy the certificate contents.

In order to export the Private Key, use the following command:

openssl pkcs12 -in [IIS-export-file.pfx] -nocerts -out [key-encrypted.key]

When using OpenSSL v3 you should use legacy parameter:

openssl pkcs12 -in [IIS-export-file.pfx] -nocerts -out [key-encrypted.key] -legacy

Again, you will have to provide the password used during the certificate export from IIS, but you will also need to provide the password to the exported private key. You can use the same password.

Now, let’s convert the encrypted private key into the unencrypted one. Use the following command:

openssl rsa -in  [key-encrypted.key] -out  [key-unencrypted.pem]

The result of the process, the “key-unencrypted.pem” file contains the Private Key you need. Again, you can open it with any text editor, copy the contents, and use it in Survey Gizmo.