Moving an SSL certificate to a new server isn’t always straight forward. Moving one from Godaddy to a new Windows Server proved downright frustrating since their directions result in a disappearing certificate.
The problem is that the generated certificate was created using a certificate signing request (CSR) from a different machine, and the private key is not included in the SSL bundle (with good reason). When you try and import an SSL certificate into IIS using the steps outlined by Godaddy here, Windows Server will give the impression that everything worked just fine and no error will be given. You can even open and view the newly imported certificate in IIS Manager. But this is lies! Silently, Windows rejected the certificate because it did not contain a private key it could validate and you only find out about it when you try to apply the cert to a website and the certificate no longer exists.
To solve this issue we can make use of a handy tool Godaddy provides that lets you re-key a certificate. In this way, we can generate a new ‘Create Certificate Request’ on the new server and rey-key the SSL certificate based on the newly generated private key. It sounds hard, but here’s pictures:
Log into your GoDaddy account, expand the SSL Certificates section, and click the Manage button for the SSL Certificate you want to transfer.
Click on the ‘View Status’ link for the SSL Certificate to transfer
Click on the big ‘Manage’ button. You’ll now be on the Manage Certificate screen
Before we proceed further, we need to generate a new Certificate Signing Request on the Windows Server. Open IIS Manager and click on the server node you want to add the certificate to. Then select the ‘Server Certificates’ item toward the bottom. On the Server Certificates screen, click the ‘Create Certificate Request’ link. Fill out the certificate information and save the file to your desktop. Open the certificate request file in notepad and copy the contents.
Back at the GoDaddy certificate manager, expand the Re-Key Certificate area and paste in your certificate request. Verify the domain name you want to protect is displayed and hit save. GoDaddy will now go through a process of validating your account and re-keying your certificate. This should only take a couple of minutes.
Back at the Server Management Options screen, click the big ‘Download’ button to retrieve your newly keyed certificate. Choose the IIS option from the select box and copy the zip file to your Windows Server.
Unzip the certificate files to your Windows server, then click the ‘Complete Certificate Request’ link back in the IIS Manager Server Certificates area. Choose the certificate you just downloaded from GoDaddy and select the ‘Personal’ store for the certificate and click OK.
Now you should be able to choose the SSL certificate for your website in IIS as you’d expect without it vanishing on you.
Don’t forget to import the intermediate certificated from GoDaddy (those instructions do work) if you don’t have them already or else your new certificate may throw warnings on client browsers.