I always have issues getting my certificate renewed using OpenSSL and the certificates that GoDaddy lets you download. I chose IIS and I chose Exchange Server in the GoDaddy download section of the site to get the CRT file. The issue I always have is converting it to PFX so that I can install it with a private key on my IIS Server. This is also relevant if you are using Azure to host your certificates as Microsoft requires PFX certificates in that realm.
So finally after I get it working today, I wanted to write this blog post to make sure I at least have a sure method to get the certificate converted with the private key. NOTE that this is for a certificate that has NOT expired.
First, download your certificate from GoDaddy to the server you have OpenSSL installed on.
Next, extract the cert to your directory and note the path. You will use the path in your OpenSSL cmdlet.
You may be seeing other files in there. Well the issue was that I couldn’t generate the proper private key and the PEM file given by GoDaddy did not work in the conversion. So, here is what I had to do on the Web Server to export the proper private key:
In the MMC Certificate Utility, export the current certificate with the private key:
- Choose to Export the Key and Extended Properties
- Choose a password and set the encryption to SHA256
- Name the File and Export it to the directory you’re working from
Next, run the following cmd in OpenSSL to extract the private key from the exported certificate. Enter the password you created during the export when prompted:
openssl pkcs12 -in c:\path\exportedwithpkey.pfx -nocerts -out c:\path\key.pem -nodes
Next, use that key file along with the CRT file to create the new PFX. Enter the password again when prompted:
openssl pkcs12 -export -out c:\path\newldlnet2021.pfx -inkey c:\path\key.pem -in c:\path\ldlnet2021.crt
You should now have the proper NEW PFX file to import into IIS or Azure or where ever you need to the certificate installed with the private key! DON’T forget your password!
THANKS FOR READING!! KEEP LEARNING AND REMEBER TO DOCUMENT SO YOU DON’T HAVE TO REMEMBER ALL THE TIME!
Extracting Certificate and Private Key Files from a .pfx File – IAM – UW-IT Wiki (washington.edu)
Convert a certificate to PFX (GoDaddy, unable to load private key) – UseIT | Roman Levchenko (rlevchenko.com)