System Configuration - SSL and SSH - SSL - Server Certs - Backing Up

For backing up or replatforming a certificate, the easiest method is to use the MOVEit DMZ Backup and Restore utilities, as these utilities handle the backing up and restoring of both server and client SSL certificates loaded on the system. MOVEit DMZ Resiliency services also automatically replicate SSL client certificates and provide a utility to replicate SSL server certificates through the MOVEit DMZ Config utility. Otherwise, if you need to export and import certificates manually, the following procedures are available to guide you.

Microsoft makes it easy to generate new certificates and replace existing certificates. However, exporting a certificate from one machine and importing it on another machine using the same Microsoft certificate facility is not as easy for two key reasons:

• By default, Microsoft tries to export keys without their private keys. While one could argue that this is good for security, many "next next next" administrators blow right by the configuration dialog where they should check the "export private key" box.
• Microsoft allows you to import server certificates without private keys. Although this feature is essential when defining obscure external certificates, the silent acceptance of these certificates often leads administrators to believe that they have successfully exported/imported a server certificate even though the private key was not moved.

There is one easy way to tell if you did an export/import procedure properly, however. If, when you try to import a certificate, you are prompted for a password, you probably did the procedure correctly. (A password is required to unlock the private key from an export file.)

If you are unsure why someone might export a server certificate in the first place, there are four general situations in which this occurs:

• You want a backup copy of the certificate so you can quickly restore the entire server if anything bad happens
• You are "replatforming" an existing secure server
• You do not have the funds to buy a certificate for a development or test box and you want to borrow a real certificate from your production box.
• You need to deliver the PUBLIC part of your certificate to a client for installation before that client will be allowed to connect (in this case, you do NOT export your private key)

Manual procedures to import and export SSL certificates are covered in "SSL - Server Certs - Import and Export".

• Telltale Errors
• Exporting MOVEit DMZ's SSL Server Certificate Without Private Key

Telltale Errors

You may have improperly exported/imported a server certificate (with a its private key) if you notice any of the following errors in your secure FTP server logs, secure web server logs or client displays:

• Your MOVEit DMZ FTP server logs report a "Not Loaded" certificate error.
• A locally installed copy of MOVEit Freely reports a "Handshake Error" when connecting to any valid FTP port on localhost.
• "https://" connections to your web server are not logged in the IIS web logs.
• While running Internet Explorer on the same box as your web server, you get a "site not available" response when trying to connect to your web site via any "https://" URL. (i.e. "https://localhost/help.htm")

Exporting MOVEit DMZ's SSL Server Certificate Without Private Key
(for import into various FTP clients)

Some FTPS (FTP/SSL) clients must import the MOVEit DMZ's SSL certificate, and possibly any root or intermediary CA certificates in the certification path, before the client can establish a FTPS connection with MOVEit DMZ. Since the same SSL certificate is used by both IIS (https) and MOVEit DMZ FTP (ftps), it is easy to export the certificates using Internet Explorer.

To export the MOVEit DMZ's host SSL certificate, perform the following steps:

1. Connect to the MOVEit DMZ using Internet Explorer (e.g., https://moveit.stdnet.com).
2. Double-click the padlock in the status bar.
3. Click the Details tab.
4. Click the Copy to File button to start the Certificate Export Wizard.
5. Follow the prompts to export the certificate in the desired format. If you're not sure which format, try Base-64.

To export the root CA and any intermediate CA certificates in the certification path, perform the following steps:

1. Connect to the MOVEit DMZ using Internet Explorer (e.g., https://moveit.stdnet.com).
2. Double-click the padlock in the status bar.
3. Click the Certification Path tab.
4. Click the certificate you wish to export to select it.
5. Click the View Certificate button. A second dialog will open.
6. Click the Details tab.
7. Click the Copy to File button to start the Certificate Export Wizard.
8. Follow the prompts to export the certificate in the desired format.