How to convert an IIS SSL certificate for Apache?

How to convert an IIS SSL certificate for Apache

1.    We need to export the certificate as PFX with the private key. Please follow the below steps:
  • Open Microsoft Management Console by putting the following command in RUN. "MMC.EXE" 
  • Click on File icon then Add/Remove snap-in.

Graphical user interface, application

Description automatically generated

  • In the new window, click on Certificate and then Add it. 

Graphical user interface, text, application

Description automatically generated

  • Select Computer account -> Local computer and hit on Finish button. Then click on OK button.
  • Now, expand the certificates navigate to "Personal" or "Web Hosting" based on the location you chose while installing the SSL certificate. You will finally end up getting the SSL certificate installed in IIS.

Graphical user interface, text, application, email

Description automatically generated

  • Right click on the certificate -> All Tasks -> Export. Now you will get "Certificate Export Wizard" Click Next to continue. Now you will get two option, you must choose the first one "Yes, Export the private key".

 Graphical user interface, text, application, email

Description automatically generated


Note: If the export with private key option is grayed out and if you are using Let'sEncrypt certificate, please follow these steps to get the PFX file - 

Also, if you are using Let's Encrypt certificate the Java JDK version installed in the upload manager server should be minimum and should be in the 1.8 series. Java JDK 1.9 or higher series won't work with eMAM upload manager. If you are installing the new JDK, make sure you are uninstalling the old JDK and reinstall the eMAM upload manager. After that associate the right user with the service.

  • Click Next with default options and on the Security tab, provide a password. Please remember it as we need this password while converting SSL Certificate." 

Graphical user interface

Description automatically generated

  • Click Next and save the certificate in a location. The exported file will be in a .pfx (Personal Information Exchange) format. Click on the Finish button to complete the export process.
2.    Now let’s convert the exported PFX certificate into JKS. Follow the below steps:
  • Open Command Prompt and CD to the following location "C:\Program Files\Java\jdk\bin".
  • If the path does not exist, go manually to the bin folder inside JAVA\JDK. Make sure "keytool.exe" exists inside the bin folder. Now, execute the following command.

keytool -importkeystore -srckeystore C:\Users\Administrator\Desktop\test\ourdomain.pfx -srcstoretype pkcs12 -destkeystore C:\Users\Administrator\Desktop\test\eMAMUploadManager.jks -deststoretype JKS

  • Replace the input and output path in the above command. Please make sure, there is no unwanted space in the above command and the command is fully pasted in the command prompt. Chances of getting error while executing this command is high. So, double-check the command and make sure no extra spaces, unwanted dots (even on the file name like "") or other mistakes. 


Description automatically generated

  • A completely copied command will look similar to the above screen grab. Now click Enter button to execute the command. It will ask for the Destination Key Store password.  It will again ask us to re-enter the new password. Input the same password. Then it will ask for the Source Key Store Password. This password we specified during the export process. (Passwords can be same). Successfully executed command will look similar to the following screen grab. 


Description automatically generated


  • This command will create a Java Key Store file (eMAMUploadManager.jks) in the output location. 


3.    Verify the existence of the JKS in the output location and follow the below steps:

  • Copy and paste the JKS file inside the following directory based on the eMAM version. 

eMAM 3.8 - C:\Program Files\Empress Media\eMAM Gateway\eMAMUploadManager

eMAM 5.1 and above - C:\Program Files\Empress Media\eMAM Ingest Manager\eMAMUploadManager

  • In the same "eMAMUploadManager" folder, you can see a "conf" folder. Inside that folder, edit server.xml file and find the following tag:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

Uncomment this tag and replace it with following tag:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="${user.dir}/eMAMUploadManager.jks" keystorePass="Enter KeyStore password here" />

Please use the screenshot below for reference. 

Note: The key Store file path may need to be changed for eMAM 5.0 in the server.xml file.

  • Save the server.xml file after making the changes.
  • The default port of Apache over SSL is 8443. Make sure the port is open to the server and put the uploader URL with https in the browser to make sure the uploader is working fine.


Replace the dummy domain name in the above URL with actual domain name. Once you get "eMAM Upload Manager is running successfully" response message in the browser, please change the eMAM Uploader key under App settings in the web.config XML configuration file of eMAM Director with the above URL.

4. We need to restart the eMAMUploadManager service for the changes to reflect. Please follow the below steps:

  • Open Services by putting the following command in RUN "services.msc".
  • In the Services window scroll down and find eMAMUploadManager. 
  • Right-click on the service and choose restart.

If you face any issues, please contact eMAM Support at for further assistance.