Exporting the IIS SSL Certificate

Printer Friendly Page


This document describes how to export the SSL Certificate from a Microsoft IIS server. If the Palo Alto Networks device will be inspecting incoming traffic to a Microsoft IIS server (including the front end servers for Exchange 2003 OWA or Exchange 2007 CAS) using SSL, the server's certificate and key can be loaded for inbound SSL inspection. The following steps outline what needs to be done to export the existing IIS SSL server certificate and key.



Exporting the SSL Server Certificates and Key

  1. Using the Internet Information Server (IIS) Manager MMC (Microsoft Management Console) plug in, connect to the desired server.  The default location for the plug in is Start > Programs > Administrative tools > Internet Information (IIS) Manager.
  2. Select the Properties of the Default Web Site instance.
    Note: If a different website other than the default for the SSL service is used, select that instance instead.
  3. Launch the Web Server Certificate Wizard by selecting the Directory Security tab from the Properties window and pressing the Server Certificate button under the Secure communications section.
  4. Select Next from the Welcome page. Then, select "Export the current certificate to a .pfx file" and click Next.

After the export occurs, the .pfx file can be directly imported into the Device > Certificate page on the web GUI.


For more information on configuring SSL Decryption review the following document: SSL Decryption Quick Reference - Resources


owner: jdelio


Is there an example of how to get OWA on the firewall ie. rules and ssl decryption.

I think there is a line missing from the openssl command. Here's the command I used to convert the PFX file to a PEM file:

openssl pkcs12 -in yourcert.pfx -out tempfile.pem

I still have an oustanding issue in getting my wild card cert working on my PAN

is this still revelant if the Palo can import pfx files directly and include the private key?