How to Export SSL Certificates & Verify with DigiCert Tools

Managing SSL/TLS certificates is a critical task for any website administrator. Whether you need to back up your certificate and private key, migrate your website to a new server, or troubleshoot an installation issue, knowing how to Export Cert correctly is essential. Equally important is verifying that your SSL certificate is installed properly and trusted by browsers. This is where tools like the ones provided by DigiCert come in handy to check SSL digicert installations effectively.

This guide provides step-by-step instructions on how to export SSL certificates from common platforms and how to use DigiCert’s popular SSL checker tool to validate your setup.

Key Takeaways

• Exporting Purpose: You might need to export certificates for backups, server migrations, or sharing the public key.
• Key Inclusion: Exporting can include just the public certificate (.cer, .crt, .pem) or the certificate plus its private key (usually .pfx or .p12). Never share your private key unless absolutely necessary and secure.
• Platform Differences: The export process varies depending on the server platform (Windows/IIS, Apache/Nginx) or source (Browser).
• Verification Need: After installation or changes, always verify your SSL setup to ensure it’s working correctly.
• DigiCert Tools: DigiCert offers reliable online tools (like their SSL Installation Diagnostics Tool) to check SSL digicert installation status, chain validity, and common configuration errors.
• Security: Protect exported files containing private keys (.pfx, .p12) with strong passwords and secure storage.

How to Export Cert (SSL/TLS Certificates)

The method to export a certificate depends heavily on where it’s currently installed and whether you need the private key included.

1. Exporting from Windows (using MMC Certificate Snap-in)

This method is common for certificates used by IIS or other Windows services. You can choose whether to include the private key.

• Exporting Certificate with Private Key (Requires .PFX/.P12 format):
  1. Press Win + R, type mmc, and press Enter.
  2. Go to File > Add/Remove Snap-in….
  3. Select Certificates and click Add >.
  4. Choose Computer account and click Next > Finish > OK. ^^[Standard Windows certificate management procedure]^^
  5. Navigate to Certificates (Local Computer) > Personal > Certificates.
  6. Locate the certificate you want to export. Right-click on it.
  7. Select All Tasks > Export….
  8. The Certificate Export Wizard starts. Click Next.
  9. Crucial Step: Select Yes, export the private key. Click Next. (If this option is greyed out, the private key is either not present or marked as non-exportable).
  10. Choose the format: Personal Information Exchange – PKCS #12 (.PFX). Ensure “Include all certificates in the certification path if possible” is checked. Click Next.
  11. Set a strong password to protect the exported file. This is vital! Confirm the password. Click Next.
  12. Choose a file name and location to save the .pfx file. Click Next > Finish.
• Exporting Certificate without Private Key (Public Key Only – .CER/.CRT):
  1. Follow steps 1-7 above.
  2. The Certificate Export Wizard starts. Click Next.
  3. Select No, do not export the private key. Click Next.
  4. Choose the format: DER encoded binary X.509 (.CER) or Base-64 encoded X.509 (.CER) are common. Base-64 is a text format often preferred. Click Next.
  5. Choose a file name and location to save the .cer file. Click Next > Finish.

2. Exporting from IIS Manager (Simplified for PFX)

IIS Manager provides a direct way to export the certificate with its private key if it was imported there initially.

1. Open IIS Manager.
2. Select the server node in the Connections pane.
3. Double-click Server Certificates in the center pane.
4. Right-click the certificate you want to export and select Export….
5. Specify the path and file name for the .pfx file.
6. Enter and confirm a strong password.
7. Click OK.

3. “Exporting” from Apache/Nginx (File System Copy)

On Linux-based systems running Apache or Nginx, “exporting” usually means copying the existing certificate and key files. These are typically separate files (.crt or .pem for the certificate and intermediate chain, .key for the private key) referenced in your server configuration.

1. Locate the paths specified in your Nginx (ssl_certificate, ssl_certificate_key) or Apache (SSLCertificateFile, SSLCertificateKeyFile) configuration files.
2. Use scp, rsync, or simple cp (if staying on the same server) to copy these files (yourdomain.crt, yourdomain.key, potentially intermediate_chain.pem) to your desired location.
3. Remember: Secure the .key file copy appropriately!

4. Exporting from a Web Browser (Public Key Only)

You can export the public certificate of any website you visit directly from your browser. This is useful for examining a site’s certificate details but does not include the private key.

1. Navigate to the HTTPS website in your browser (Chrome, Firefox, Edge).
2. Click the padlock icon in the address bar.
3. Look for an option like “Connection is secure,” then “Certificate is valid.”
4. Clicking this usually opens a certificate viewer window.
5. Go to the Details tab.
6. Look for an Export or Copy to File… button.
7. Choose a format (Base-64 encoded X.509 .cer or .pem is common) and save the file.

How to Check SSL with DigiCert Tools

After installing or renewing a certificate, verifying the installation is crucial. DigiCert, a leading Certificate Authority, provides excellent free tools for this.

Using the DigiCert® SSL Installation Diagnostics Tool

This is the go-to online tool for checking public-facing SSL installations.

1. Open your web browser and navigate to the DigiCert SSL Installation Diagnostics Tool: https://www.digicert.com/help/
2. Enter the Server Address (your website’s domain name, e.g., www.yourdomain.com). You don’t need https://.
3. Click the Check Server button.
4. Analyze the Results: The tool will perform several checks and report on:
   • Certificate Details: Common Name, Subject Alternative Names (SANs), Serial Number, Issuer, Validity Period (Expiration Date).
   • Installation: Checks if the certificate matches the private key (via handshake), if the correct intermediate certificates are installed (chain of trust), and looks for common server configuration issues.
   • Revocation Status: Checks if the certificate has been revoked.
   • DNS Match: Verifies the Common Name or SANs match the requested domain.

The tool provides clear pass/fail indicators and explanations for any detected issues, helping you pinpoint problems quickly. ^^[Based on common functionality of online SSL checkers like DigiCert’s]^^

Other DigiCert Tools

• DigiCert Certificate Utility for Windows: A downloadable utility that can help with CSR generation, installation, and diagnostics directly on a Windows server.
• CSR Decoder: If you have a Certificate Signing Request, this tool can decode it to show the details embedded within it, useful for verification before ordering.

Why Export and Check?

• Migration: Exporting (with the private key) allows you to move your SSL certificate to a new server. Checking confirms the new setup works.
• Backup: Regularly exporting a PFX backup (with a strong password, securely stored) is good practice.
• Troubleshooting: If a certificate isn’t working, exporting it (or the public cert from a browser) and checking it with DigiCert’s tools can reveal installation errors, chain issues, or name mismatches.
• Auditing: Exporting public certificates can be part of security auditing processes.

Wrapping It Up

Knowing how to Export Cert files correctly—especially understanding the critical difference between exporting with and without the private key—is vital for certificate management. Pairing this knowledge with the ability to check SSL digicert installations using reliable tools like DigiCert’s SSL Installation Diagnostics Tool ensures your website remains secure, trusted, and operational. Always prioritize the security of your private keys during and after export.

Looking for reliable SSL certificates or need help managing them? Explore options at SSLRepo.

Frequently Asked Questions (FAQ)

Q1: What’s the difference between .PFX, .P12, .PEM, .CER, and .CRT files?
A:

• .PFX / .P12: Binary formats that bundle the public certificate(s) AND the private key. Protected by a password. Used mainly on Windows/IIS.
• .PEM: Base64 (text) format. Can contain just the public certificate, just the private key, or both, plus intermediate certificates. Common on Linux/Apache/Nginx.
• .CER / .CRT: Usually contain only the public certificate. Can be binary (DER) or Base64 (PEM-like). Often used interchangeably with .pem for public certificates.

Q2: Why is the “Yes, export the private key” option sometimes greyed out in Windows?
A: This usually means either the private key corresponding to that certificate isn’t present on that machine, or when the key was originally created or imported, it was marked as “non-exportable” for security reasons.

Q3: How often should I check my SSL certificate installation?
A: Definitely check after every new installation, renewal, or significant server configuration change. Periodic checks (e.g., quarterly or using automated monitoring) are also a good idea to catch unexpected issues like intermediate certificate expirations.

Q4: Can DigiCert’s tool check installations on internal servers not accessible from the internet?
A: No, the online DigiCert SSL Installation Diagnostics Tool requires the server to be publicly accessible over the internet (port 443). For internal servers, you might use their downloadable Certificate Utility for Windows or OpenSSL commands locally.

Q5: Is it safe to export my private key?
A: Exporting the private key is necessary for backups or migrations. However, the resulting file (e.g., .pfx) is highly sensitive. You MUST protect it with a strong password and store it securely (e.g., encrypted storage, hardware security module, secure offline media). Never email it or store it insecurely.