Karush Logo
BlogAbout

GoDaddy SSL Renewal

The Magic Process to Update a Certificate on IIS

GoDaddy makes it easy to buy an SSL/TLS certificate for a Windows Server running IIS. The difficulty comes during the renewal process.

Here is the Issue

GoDaddy will just automatically renew the certificate and send an email to download the information. This is an issue because you didn't create a new certificate request in IIS, so there is no existing request to complete in IIS with the information they send you. As a result their documentation doesn't work as expected. Once you complete steps 27-30, the certificate will just disappear from the Server Certificates section since there was no matching request.

How to Fix It

Download your updated files from GoDaddy. The .zip file will contain three files, like:

  • 32f1fede5cde5dd.crt
  • 32f1fede5cde5dd.pem
  • gd-g2_iis_intermediates.p7b

The .crt and the .pem files are both the public part, in different formats, of the public/private key pair used by IIS. You need to get the private key, and GoDaddy doesn't have it.

Since this is a certificate renewal, you already have the private key stored in IIS! Now you just need to get it.

  • Open IIS Manager on your server
  • Click on the server node in the tree view on the left
  • Double-click on Server Certificates under the IIS section on the right
  • Right-click on the certificate that is being renewed and click Export
  • Export the certificate as "temp.pfx". Pick simple password, as we'll delete this file when done.
  • This .pfx contains contains both the public and private key of the certificate
  • Copy this .pfx file from the server to your Windows 10/11 PC

Make sure you have WSL installed on your Windows 10/11 PC. We are going to use a Linux tool (openssl) to manipulate the certificate. Open the app "Ubuntu on Windows". This will open a terminal to your WSL Ubuntu instance.

  • Enter cd / to change directory to the root of the Ubuntu file system
  • Enter cd /mnt/c/data to change directory to the C:\data folder on your Windows PC
    • Note: the c/data part should correspond to whichever folder you copied "temp.pfx" to
  • Enter openssl pkcs12 -in temp.pfx -nocerts -out priv-key.pem -nodes
    • Your private key will now be contained in priv-key.pem
    • You can open this file with notepad to view the contents
  • Copy the .pem file from GoDaddy (ex. 32f1fede5cde5dd.pem) to the same C:\data folder
  • Enter openssl pkcs12 -inkey priv-key.pem -in 32f1fede5cde5dd.pem -export -out mynewcert.pfx
    • This will create a new .pfx file using your private key and the new public key from GoDaddy
    • You will need to provide a password for the new .pfx file
    • If you get the message "No certificate matches private key", you exported the wrong cert from IIS earlier
  • Copy the file "mynewcert.pfx" back to your server
  • In IIS, under Server Certificates, select "Import...". Select "mynewcert.pfx" and enter the password.
  • Finish following the GoDaddy directions to bind this new certificate to your website IP address
  • Go to your website and confirm "Valid From/To" dates are now updated on the certificate

Conclusion

Certificate renewal only needs to be done every year or two so it's difficult to remember the steps. Note that you can probably also install some version of "openssl" directly on Windows, but I was more comfortable just using the Ubuntu version. Remember to clean up your .pfx files when done.