Renewed certificate doesn't contain private key from public Certifying Authority

Summary

There have been a number of instances where customers reach out to Support Services to replace their expired certificates, but the old private key has either been misplaced or forgotten two or three years ago when it was last utilized. When the 'renew' option is selected in the public Certificate Authority's (CA) console, it is expected that the customer still has access to the private key that was originally used to generate the certificate. The CA provides a public key for download, but this causes issues, as all web servers (including our software) require both the public and private key to be present to successfully secure HTTPS communications.

Disclaimer: 
These steps are not directly supported by Esri, and involve manipulating SSL certificates and private keys. The steps listed here should be undertaken by an IT professional that has experience with OpenSSL and a thorough understanding of SSL certificates.

When a certificate is renewed via a public CA, the download package typically includes the public certificate (in CRT and PEM format), and the certificate bundle for any intermediate and the root certificates. Since the private key is never exposed to the CA, there is no reasonable expectation to be able to recover the private key unless the original is retained.

Procedure

This workflow has been validated against GoDaddy's SSL certificate console, but the same general process should hold true for any public CA. The following steps are to generate a new private key and certificate signing request using OpenSSL, then re-keying the existing certificate with the CA, and using the generated private key and downloaded public key to create a valid PFX file for import into IIS, ArcGIS Server, Portal for ArcGIS, or any of our other products.

1. Install OpenSSL for Windows
   • It may be necessary to add the path to the openssl bin directory to the system or user PATH variable to call the executable from any location.
2. Create certificate signing request template file (csr-template.txt in the example):

[ req ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = <Common Name>
emailAddress = <Email Address>
O = <Organization>
OU = <Organizational Unit>
L = <City>
ST = <2-Letter State>
C = <Country Code>

[ req_ext ]
subjectAltName = DNS: <Repeat Common Name>

Note: 
The subjectAltName can include multiple DNS entries, and is a required value in Chrome version 58 and later to avoid certificate warnings.

3. All values surrounded by <> should be replaced, for example, <Common Name> becomes www.example.com
4. Run the following command to generate a new private key and certificate signing request:

openssl req -new -config <Path to csr-template.txt> -keyout <example.com>.key -out <example.com>.csr

5. Go to the CA's certificate console and select the certificate that has been renewed and select the 'rekey' option and copy/paste generated CSR contents.
6. Wait for the certificate to validate, and download the certificate package from the CA
7. Unzip the files and copy the CRT file to the same directory as the private key (to simplify the command in the next step)
8. Run the following command to generate a PFX file from the generated private key and downloaded public key (<signed_certificate>.crt in example):

openssl pkcs12 -export -out <example.com>.pfx -inkey <example.com>.key -in <signed_certificate>.crt

9. Enter a password when prompted, and verify the entered password; this password will be used when importing the PFX file into IIS or any of the ArcGIS Enterprise products.
10. Import the certificate into the appropriate product and update the designated web server certificate to point to the newly-imported certificate
11. Open a new browser window and load the associated endpoint to confirm the new certificate is presented by the web server