So not sure if you have all faced this issue before but, really it shouldn’t be an issue. When purchasing an SSL certificate the ideal approach is to use an IIS instance and create the “CSR” there so you can then import the received “CRT” and it will then be available within “IIS” and not do the disappearing act which you see sometimes. “IIS” needs both the initial request and then the response to be mapped together so that the certificate contains the private key which is required by “IIS” to use the certificate.
While working on many projects I am often issued a zip file that contains the “CRT” only and when imported won’t work as the initial request was created using a different platform such as the firewall.
There are ways of creating the “PFX” format from several of the SSL providers, but that requires the response and the “PEM” file which is the key along with other details to generate it. AN example can be found here:
This screen is taken from this URL: https://www.sslshopper.com/ssl-converter.html
In reality though this works, the easy approach is to use a server instance, IIS instance and generate the required “CSR” then choose to “Re-Key” the existing certificate and complete it all in the same place so you don’t face these issues.
To generate a certificate request from “IIS” you simple access the root node and select “Server Certificates“.
Then select the “Create Certificate Request“.
The wizard will launch and you can then complete the values as you need them. In this example I will look at creating a certificate for “demo.helloitsliam.com“.
We are then asked for the cryptographic bit length, which for me should be nothing less than “4096“.
This will then ask me to save the certificate request into a file that I can then open and paste the “CSR” syntax into my SSL provider’s site. My “CSR” syntax is:
You can validate that it is right by accessing an SSL decoder site like this one: https://certlogik.com/decoder/, pasting in the above and letting it decode and present the results back.
Now we have that checked we can pass it to our provider and wait for the “CRT” to be returned. Once it is received we can simply import the “CRT” directly into the “IIS” instance we created the “CSR” from and it works. You are then able to then export that certificate into a “PFX” file as we now have both the public and private keys.
If you don’t want to use an “IIS” instance, then you can use the “MMC” snap in for certificates. You can access this by launching the “Manage Computer Certificates” application.
Once you have added the snap in you can then right click the “Personal” node and choose to “All Tasks“, “Advanced Operations” and select the “Create Custom Request“. If you are creating one to be used to an internal certificate authority connected to your Active Directory you can choose the top option of “Request New Certificate“.
As this will be a “CSR” that you are submitting to an online “SSL” select the “Proceed without enrollment policy” option.
For this demonstration, you can leave the values on the next screen as the defaults. The next screen confirms that we are creating a custom request. To add properties you will need to expand the row using the arrow.
To continue press the “Properties” button. The following details were added for this demonstration.
Once you have completed these, simply click “OK” and save the “.req” file so you can access it later. Now we can check this as before. Open the file in notepad and you should see something like this:
Pasting this into the site we used earlier for decoding can validate we have it all correct, and should be the same as the last one (if I typed it call correctly).
Now we can complete the process like the last one, receive the “CRT” and use the same application but this time choose to “import“.
Once your certificate has been imported it should then show up with the “key” icon next to the certificate name like this.
Then you know this certificate has the private key with it which can then be used within “IIS“. To use this certificate to a different server you will need to export the certificate to a “PFX” format, ensuring that you say “yes” to export the private key.
So there you have it, the real key to making “SSL” certificates work when creating and exporting them is to ensure the private key goes with it. During the export process check the “Include all certificates in the certification path if possible“.
This will also “try” to make sure the full certificate path including the root and intermediate (if needed) are part of the “PFX“, which will fix most issues you see to do with certificate trusts. Hope this helps.