One of the nice security features of SQL Server 2005 and 2008 is that it allows you to encrypt the traffic between the server and client using your own SSL certificate. This can be done using a self signed or a third party certificate from a credible CA but note that using a self signed certificate is less secure and introduces the possibilty for a man in the middle attack. The process for doing such is outlined very well on many different websites including this MSDN article.
I requested a certificate for our domain from GlobalSign and received the certificate back in the form of a text file with three sections: Regular Certificate (X509), Intermediate Certificate, and the Private Key. The file looked like the following:
Regular Certificate (X509) -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Intermediate Certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Private Key -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
Having never worked with SSL before I wasn’t quite sure how to go from a text file to the needed PKCS #12 Certificate File format (.pfx file) to import the certificate into the server’s certificate store. After searching around I found that a tool called OpenSSL would do the trick. (You can download the binary files for Windows here.) It is a command line tool that allows you to manipulate SSL certificates in many different ways.
To generate the needed PKCS #12 Certificate File using OpenSSL do the following:
- Download and install OpenSSL from here.
- Save the three portions of the certificate into three separate files (Note: The Intermediate Certificate is optional, if you were not supplied with one, just skip the steps involving it):
- privatekey.txt – Copy and paste the contents of the private key including the begin and end lines.
- certificate.txt – Copy and paste the contents of the Regular Certificate including the begin and end lines.
- intermediate.txt – Copy and paste the contents of the Intermediate Certificate including the begin and end lines.
- Move the three files into the bin folder where you installed OpenSSL (default folder is C:\OpenSSL-Win32\bin).
- Open the command prompt and navigate to the bin folder where you installed OpenSSL.
- Enter the following line and press enter (Omit ‘-certfile intermediate.txt’ if you do not have an Intermediate Certificate):
openssl pkcs12 -export -out certificate.pfx -inkey privatekey.txt -in certificate.txt -certfile intermediate.txt
After the process completes, there will be a certificate.pfx file in the bin directory that can be used to import the certificate into the servers personal certificate store.
Nick Olsen's Programming Tips 
September 8, 2010 at 3:29 pm
[…] To resolve the problem I created the needed PKCS #12 Certificate File following the steps outlined here, and then clicked on the Import link (not the Complete Certificate Request… link) in the […]
September 8, 2010 at 4:29 pm
[…] correct format to import into the server’s Personal Certificate Store using the steps found here, I was finally ready to select the certificate and encrypt the database traffic. As outlined here I […]
December 4, 2010 at 3:12 am
[…] final buscando un poco en Google, encontré esto. Es para SQL Server 2008, pero el mismo método sirve para IIS […]
February 17, 2011 at 3:38 am
I spent hours searching for a solution to this problem and this article resolved it! Thanks a million, I was at a complete loss! SSL issuing companies really do over-complicate things and should supply tools on their site that allow users to do the public and private key merge or ask the customer for the private key and do the merge themselves.
IIS7 should also alert the user that the certificate hasn’t installed correctly if a private key wasn’t supplied.
February 17, 2011 at 7:34 am
I couldn’t agree more!
June 1, 2011 at 10:10 am
Thanks for the info. The private key is however not in our received signed (Comodo) results.
Where does IIS7 store the private key it has used to generate the Certificate Sign Request?
Anybody know how to export that private key info?
June 2, 2011 at 7:10 am
You should have been given the private key when you purchased the certificate. If not, you need to contact the vendor.
June 15, 2011 at 6:25 am
Hi Nick, nope the IIS7 server keeps the private key on the server. The Certificate Authority signs the Cerificate Sign Request (CSR) and returns the signed certificate holding their chain (intermediate and trusted authoritive root certificate).
When you use the MMC with certificates plugin you can however see the certificate requests and export the private key form there.
Hope this helps someone.
June 15, 2011 at 7:20 am
Glad you figured it out!
July 10, 2011 at 6:17 pm
Looks like someone is copying your posts.
http://sqlanddotnetdevelopment.blogspot.com/2011/04/ssl-and-sql-server-2008-creating.html
July 11, 2011 at 7:11 am
Thanks for the heads up.
March 23, 2012 at 1:10 pm
If you have already installed the certificate on another server, you can export the .pfx file if you know the password. This is what I needed when building a second server. Thanks for the info!
July 30, 2012 at 2:19 pm
Thank you, thank you, thank you!
August 9, 2012 at 1:23 pm
Thanks a bunch, very easy to follow. Even someone as new to SSL Certificates as I am
Odd that such a simple task is not handled by your CA. Could there be a reason they are delivered in this manner?
January 17, 2014 at 9:41 am
@Taylor S
The private key is as it says, yours, its private. Leave it in a secure place on your server. Do NOT expect a CA to deliver you a private key. They SIGN your certificate and make it official that it is yours. You SIGN with your private key and the certificate proves to recipients it is YOUR server.
Hope this explains why this is by design as it is.
January 9, 2013 at 1:16 am
Thank you for this tutorial!
March 19, 2013 at 12:33 pm
Can anybody say where I can get private key for this, if I get certificate on goDaddy?
Please help.
January 17, 2014 at 9:43 am
@Sergei
The private key is as it says, yours, its private. Leave it in a secure place on your server. Do NOT expect a CA to deliver you a private key. They SIGN your server certificate request and make it official that it is yours. Your server SIGN with its private key and the certificate proves to recipients it is YOUR server.
Hope this explains why this is by design as it is.
May 15, 2013 at 8:44 am
Awesome thanks you saved me a lot of time – well obviously I wasted some before I found this.
January 16, 2014 at 5:54 am
I appreciate your tutorial it worked !
April 11, 2014 at 3:59 am
Thank you, this saved me 🙂
September 26, 2014 at 4:10 pm
This came up for us when we were updating our certificates to SHA-2. The first server worked perfectly, but on the second server the certificate kept disappearing after Completing the Certificate Request. Checking the Certificates through MMC\Certificates in the Personal\Certificates folder showed the new certificate did not have a key on it. Using the link below we exported the Private key from the first server and imported it into the second server. Once this was done a key appeared where is wasn’t and in IIS the certificate we were adding reappeared after refreshing the screen.
https://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm
November 5, 2014 at 10:13 pm
I get the following error and lost on what to do next
unable to load private key
7292:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:696:Expecting: ANY PRIVATE KEY
unable to write ‘random state’
November 19, 2014 at 3:09 pm
I keep getting this error Loading ‘screen’ into random state – done
Error opening private key privatekey.txt
4596:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
bss_file.c:398:fopen(‘privatekey.txt’,’rb’)
4596:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:40
0:
unable to load private key
can anyone help
January 12, 2015 at 2:17 am
So your CA send you a complete certificate with its private key? Sound dubious. Normally, if you create CSR in your machine and send the CSR to your CA, the private key will never leave your machine. So for Globasign I think you create the CSR in their control panel, they process it and pass it to you. As the purpose of using SSL is to secure your server’s connection, so the tool provided by the CA is actually take away part of the security with it. In this case, the CA is storing your private key and pass it back to you.
June 23, 2015 at 2:02 pm
What if you don’t have a text file, but have a .crt file? How would I create the three files needed?
November 4, 2018 at 8:07 am
[…] from an ancient web article and a modern one – to easily import all the certificates into Windows IIS, windows requires […]
February 11, 2019 at 3:01 pm
[…] SQL: SSL and SQL Server 2008 – Creating the Certificate Autor cbocanegraPublicado el 11 febrero, 2019CategorÃas .NET, hosting – dominiosEtiquetas certificado, iis […]
April 29, 2019 at 11:19 pm
really excellent post. there are so many work around of this IIS bug. but i like this guy and his competencies. the way he guided . really wonderful. i was facing this issue of certificate disappearing & in mmc present. finally this helped me out. thanks dear ….realy nice post