by lunarg on August 24th 2015, at 16:09

Certain Certificate Authority providers, such as GoDaddy allow you to renew an SSL certificate using the same CSR and private key. This greatly simplifies the procedure to renew a certificate, but this can also complicate things if you don't have your private key readily available.

On a server running ADFS 3.0 for instance, you do not have IIS available to allow an easy SSL certificate renewal (or even a request). Or perhaps, you lost the current private key, or it is located somewhere where it's not easily accessible.

Luckily, there's a fairly easy way to extract the private key from the previous SSL certificate on your Windows server. By using the Windows Certificate store functionality and OpenSSL, you can retrieve the private key, and combine it together with the renewed SSL certificate, enabling you to easily renew the certificate on your server.

Private key required!
For this to work you need to have the private key for the SSL certificate. If you do not have the private key separately (e.g. in PEM-format), try to contact someone who does.
You can also attempt to export the old SSL certificate from the server, but this requires the certificate has its private key marked as exportable. Read below for instructions.


First, you need to download and install OpenSSL on the server or on another computer. This can be done in various ways:

Retrieve your certificate and any intermediates from the CA. Download the certificate itself to the machine that will be running OpenSSL. The intermediates will have to be imported on the target server (i.e. the machine that will eventually use the SSL certificate).

Retrieve the private key from the current SSL certificate (optional)

If you do not have your private key stored somewhere, and the old SSL certificate in the certificate store on the Windows-server has its private key marked as exportable, you can retrieve the private key using these steps.

  1. On the Windows-server which has the old SSL certificate, open the Certificate Store for the Computer account.
  2. Export the old certificate from the certificate store, including the private key and all extended attributes. Enter a passphrase you can remember easily. Name the file exported.pfx.
    You will end up with a single PKCS#12 file (called exported.pfx, if you followed the instructions to the letter).
    If you are unable to select to export the private key, you will need to find another way to obtain the private key. You cannot continue without the private key!
  3. On the machine that has OpenSSL, run this command to export the private key from the PKCS#12 file:
    openssl pkcs12 -in exported.pfx -nocerts -out privkey.pem
    Enter the old passphrase you used during the export, then enter a new passphrase to protect the private key.
  4. You should store the private key (called privkey.pem) somewhere safe!

Renew the private key and certificate

In the Windows Certificate store, it is not possible to reference a certificate by its private key and certificate separately. We need to create a PKCS#12 file and import that as a whole. We can use OpenSSL to do just that.

  1. With the private key and new certificate readily available on the machine with OpenSSL installed, create a new PKCS#12 file, combining the private key with the new certificate you downloaded from your provider:
    openssl pkcs12 -export -in renewed.crt -inkey privkey.pem -out import.pfx
    Enter the passphrase for your private key, then enter a new passphrase for the new PKCS#12. A new PKCS#12 file (called import.pfx) will be created, containing the private key and the new certificate.
  2. Import the PKCS#12 (called import.pfx) to the certificate store on your Windows-server. Be sure to import the extended attributes and the private key.
    Enter the passphrase of the import.pfx file you entered in the previous step. After the import, you should see a new certificate, and that it has a corresponding private key:
  3. In your server application (IIS, Exchange, etc.), set the SSL certificate to use to the newly imported certificate.
    If you perform this using Powershell, you usually need the Thumbprint of the certificate. You can find this on the Details tab of the properties of the certificate (double-click on it in the certificate store).
« February 2024»
« Most people tend to avoid true conflict. Ironically this breeds more conflict. »