In scenarios where a SSL cert is due to renewal but the renewed one (the one downloaded from the provider after renewal) does not have the private key in it, we can import the private key from the previous expiring cert into the new one easily.
You can tell which certs have/don’t have private key from their icons in the cert store, the little key on the cert icon represents the pkey (see below):
Steps to add the Private key of an existing cert into a renewed one :
- Install the expiring cert in the Personal certificate store on a PC
- Install current cert (the renewed one without private key) in the Personal cert store of the same PC
- Locate and note down the serial number (open the cert and go to details tab)
- Open an elevated command prompt and run the command below
- certutil -repairstore my <serialnumber of the new cert without pkey>
- Now the new cert has the private key, you can export it as pfx and include the pkey by ticking the box during the export.
Just a recap, when a SSL cert is renewed and the new one downloaded e.g. the zip file from GoDaddy, by default it does NOT have the private key inside the renewed one. I previously shared a simple method to inject the private key from the old cert into the renewed one (email below) which then you could export the renewed one with private key as .pfx file and use it wherever needed. However, it seems that a recent Microsoft update has made that method not useful anymore, cause with the new update it works by adding the private key but then does NOT allow to export the new certificate anymore.
In case you need to do the above you can use a different method described below:
- Download and install the open source tool Openssl from https://openssl.org
- Extract the Private Key from the old .pfx file (the cert that is expiring) and save it as a .key file protected by a password :
- Openssl.exe pkcs12 -in old-cert file.pfx -nocerts -out PrivateKey.key (this will ask for the pfx password, also prompts to create a password for PrivateKey file)
- Inject the Private Key into the renewed cert downloaded from GoDaddy (.pem file) by running the command below
- openssl.exe pkcs12 -export -in new-cert-file.pem -inkey PrivateKey.key -out new-cert-with-pkey.pfx -passout pass:PasswordFortheNewCert(you will have to enter the password for pkey file you created earlier)