System Configuration - SSL and SSH - SSL - Server Certs - Backing Up

For backing up or replatforming a certificate, the easiest method is to use the MOVEit DMZ Backup and Restore utilities, as these utilities handle the backing up and restoring of both server and client SSL certificates loaded on the system. MOVEit DMZ Resiliency services also automatically replicate SSL client certificates and provide a utility to replicate SSL server certificates through the MOVEit DMZ Config utility. Otherwise, if you need to export and import certificates manually, the following procedures are available to guide you.

Microsoft makes it easy to generate new certificates and replace existing certificates. However, exporting a certificate from one machine and importing it on another machine using the same Microsoft certificate facility is not as easy for two key reasons:

There is one easy way to tell if you did an export/import procedure properly, however. If, when you try to import a certificate, you are prompted for a password, you probably did the procedure correctly. (A password is required to unlock the private key from an export file.)

If you are unsure why someone might export a server certificate in the first place, there are four general situations in which this occurs:

Manual procedures to import and export SSL certificates are covered in "SSL - Server Certs - Import and Export".

Telltale Errors

You may have improperly exported/imported a server certificate (with a its private key) if you notice any of the following errors in your secure FTP server logs, secure web server logs or client displays:

Exporting MOVEit DMZ's SSL Server Certificate Without Private Key
(for import into various FTP clients)

Some FTPS (FTP/SSL) clients must import the MOVEit DMZ's SSL certificate, and possibly any root or intermediary CA certificates in the certification path, before the client can establish a FTPS connection with MOVEit DMZ. Since the same SSL certificate is used by both IIS (https) and MOVEit DMZ FTP (ftps), it is easy to export the certificates using Internet Explorer.

To export the MOVEit DMZ's host SSL certificate, perform the following steps:

  1. Connect to the MOVEit DMZ using Internet Explorer (e.g., https://moveit.stdnet.com).
  2. Double-click the padlock in the status bar.
  3. Click the Details tab.
  4. Click the Copy to File button to start the Certificate Export Wizard.
  5. Follow the prompts to export the certificate in the desired format. If you're not sure which format, try Base-64.

To export the root CA and any intermediate CA certificates in the certification path, perform the following steps:

  1. Connect to the MOVEit DMZ using Internet Explorer (e.g., https://moveit.stdnet.com).
  2. Double-click the padlock in the status bar.
  3. Click the Certification Path tab.
  4. Click the certificate you wish to export to select it.
  5. Click the View Certificate button. A second dialog will open.
  6. Click the Details tab.
  7. Click the Copy to File button to start the Certificate Export Wizard.
  8. Follow the prompts to export the certificate in the desired format.