There have been a number of instances where customers reach out to Support Services to replace their expired certificates, but the old private key has either been misplaced or forgotten two or three years ago when it was last utilized. When the 'renew' option is selected in the public Certificate Authority's (CA) console, it is expected that the customer still has access to the private key that was originally used to generate the certificate. The CA provides a public key for download, but this causes issues, as all web servers (including our software) require both the public and private key to be present to successfully secure HTTPS communications.
Disclaimer: These steps are not directly supported by Esri, and involve manipulating SSL certificates and private keys. The steps listed here should be undertaken by an IT professional that has experience with OpenSSL and a thorough understanding of SSL certificates.
When a certificate is renewed via a public CA, the download package typically includes the public certificate (in CRT and PEM format), and the certificate bundle for any intermediate and the root certificates. Since the private key is never exposed to the CA, there is no reasonable expectation to be able to recover the private key unless the original is retained.
This workflow has been validated against GoDaddy's SSL certificate console, but the same general process should hold true for any public CA. The following steps are to generate a new private key and certificate signing request using OpenSSL, then re-keying the existing certificate with the CA, and using the generated private key and downloaded public key to create a valid PFX file for import into IIS, ArcGIS Server, Portal for ArcGIS, or any of our other products.
[ req ] default_bits = 2048 prompt = no encrypt_key = no default_md = sha256 distinguished_name = dn req_extensions = req_ext [ dn ] CN = <Common Name> emailAddress = <Email Address> O = <Organization> OU = <Organizational Unit> L = <City> ST = <2-Letter State> C = <Country Code> [ req_ext ] subjectAltName = DNS: <Repeat Common Name>
Note: The subjectAltName can include multiple DNS entries, and is a required value in Chrome version 58 and later to avoid certificate warnings.
openssl req -new -config <Path to csr-template.txt> -keyout <example.com>.key -out <example.com>.csr
openssl pkcs12 -export -out <example.com>.pfx -inkey <example.com>.key -in <signed_certificate>.crt