Certain Certificate Authority providers, such as GoDaddy allow you to renew an SSL certificate using the same CSR and private key. This greatly simplifies the procedure to renew a certificate, but this can also complicate things if you don't have your private key readily available.
On a server running ADFS 3.0 for instance, you do not have IIS available to allow an easy SSL certificate renewal (or even a request). Or perhaps, you lost the current private key, or it is located somewhere where it's not easily accessible.
Luckily, there's a fairly easy way to extract the private key from the previous SSL certificate on your Windows server. By using the Windows Certificate store functionality and OpenSSL, you can retrieve the private key, and combine it together with the renewed SSL certificate, enabling you to easily renew the certificate on your server.
First, you need to download and install OpenSSL on the server or on another computer. This can be done in various ways:
Retrieve your certificate and any intermediates from the CA. Download the certificate itself to the machine that will be running OpenSSL. The intermediates will have to be imported on the target server (i.e. the machine that will eventually use the SSL certificate).
If you do not have your private key stored somewhere, and the old SSL certificate in the certificate store on the Windows-server has its private key marked as exportable, you can retrieve the private key using these steps.
openssl pkcs12 -in exported.pfx -nocerts -out privkey.pem
In the Windows Certificate store, it is not possible to reference a certificate by its private key and certificate separately. We need to create a PKCS#12 file and import that as a whole. We can use OpenSSL to do just that.
openssl pkcs12 -export -in renewed.crt -inkey privkey.pem -out import.pfx