I always have issues getting my certificate renewed using OpenSSL and the certificates that GoDaddy lets you download. I chose IIS and I chose Exchange Server in the GoDaddy download section of the site to get the CRT file. The issue I always have is converting it to PFX so that I can install it with a private key on my IIS Server. This is also relevant if you are using Azure to host your certificates as Microsoft requires PFX certificates in that realm.
So finally after I get it working today, I wanted to write this blog post to make sure I at least have a sure method to get the certificate converted with the private key. NOTE that this is for a certificate that has NOT expired.
First, download your certificate from GoDaddy to the server you have OpenSSL installed on.
Next, extract the cert to your directory and note the path. You will use the path in your OpenSSL cmdlet.
You may be seeing other files in there. Well the issue was that I couldn’t generate the proper private key and the PEM file given by GoDaddy did not work in the conversion. So, here is what I had to do on the Web Server to export the proper private key:
In the MMC Certificate Utility, export the current certificate with the private key:
- Choose to Export the Key and Extended Properties
- Choose a password and set the encryption to SHA256
- Name the File and Export it to the directory you’re working from
Next, run the following cmd in OpenSSL to extract the private key from the exported certificate. Enter the password you created during the export when prompted:
openssl pkcs12 -in c:\path\exportedwithpkey.pfx -nocerts -out c:\path\key.pem -nodes
Next, use that key file along with the CRT file to create the new PFX. Enter the password again when prompted:
openssl pkcs12 -export -out c:\path\newldlnet2021.pfx -inkey c:\path\key.pem -in c:\path\ldlnet2021.crt
You should now have the proper NEW PFX file to import into IIS or Azure or where ever you need to the certificate installed with the private key! DON’T forget your password!
THANKS FOR READING!! KEEP LEARNING AND REMEBER TO DOCUMENT SO YOU DON’T HAVE TO REMEMBER ALL THE TIME!
Extracting Certificate and Private Key Files from a .pfx File – IAM – UW-IT Wiki (washington.edu)
Convert a certificate to PFX (GoDaddy, unable to load private key) – UseIT | Roman Levchenko (rlevchenko.com)
3 thoughts on “Renewing your GoDaddy SSL certificate from CRT/CER to PFX so it can be installed on IIS”
Thanks for the infos. You saved my day.
Thanks for this!
I had to struggle to figure this out the first time I had to renew a certificate but with this guide, I could complete it within 10 minutes the second time around. We need more people like you in this world.
I am extremely grateful for this post. In the past, I was always generating a new CSR to get around the Private Key issues. Thanks!
Comments are closed.