Installing a new SSL certificate has become a periodic ritual. As I mention in my author bio I manage several websites. One or more times a year I have to repeat the process of installing new certificates on these websites. This shouldn’t be difficult, but for reasons which I’ll explain later, it is sometimes more difficult than I’d like. And each time I do this, I inevitably fail to write down the steps I take. As a result, I find that I must research and re-discover how to accomplish this task. Having once again completed this process I am going to try to break the cycle. Hopefully next time I will be able to refer to my own article for guidance. I’ll continue to revise this article to fill in any gaps that I’ve left.
There are many reputable SSL certificate providers. While many providers charge for certificates, some providers offer them for free, for example LetsEncrypt.org. While there is a lot to like about LetsEncrypt, their automated approach requires installing and running processes on my web servers. That is not difficult and LetsEncrypt provides great instructions. I just haven’t taken the time to set things up yet. Perhaps that will be a future topic to write about.
Your SSL Certificate has Expired
For some of my sites I use GoDaddy.com as a certificate provider. The reason why is simple, when I purchase a .app domain from GoDaddy, it includes a free certificate. If you aren’t able, or willing, to use one of the free certificate providers this can be a real bargain.
The certificate provided by GoDaddy, like all certificates, has an expiration date. This is important for maintaining the security of your website as technology evolves over time. If you want to know more about why certificates expire you can read about it here.
GoDaddy conveniently generates a new certificate for me as needed about a month or so before the previous certificate expires. And GoDaddy sends me an email to remind me when it is time to update my website. That is certainly helpful since renewals of different certificates can happen several times of year.
I host some of my websites as Web Apps on Azure. So, it would be very handy if I could simply upload new certificates as they become available through the Azure portal. If I was using a full Azure VM then I could simply upload the certificate to the IIS server running on that VM. While Web Apps are many times a cheaper and easier option, they do not provide direct access to the IIS server.
The certificates provided by GoDaddy are in the format of a .CRT file. Azure-hosted websites on the other hand require that you provide a certificate in the format of a .PFX file. I understand the basic differences between .CRT and .PFX files. But why does Azure require you to provide the certificate in a different format? To be honest I am not sure. And to be fair I did not spend time researching that question for this article. If any readers know the answer, please comment on this post!
The certificate format mismatch means that I must find a way to transform the .CRT file to a valid .PFX file. Solving and documenting that mystery process is precisely the reason for this article. Once you know how to do it, it turns out to be relatively simple. Let’s see how it is done!
Download and Install the Certificate
The first step is to download the new certificate from GoDaddy. The download will be in the form of a ZIP file. Next, unzip the file contents. You should find three files in the ZIP package: a CRT file, a PEM file and a P7B file. The CRT file is the one that we are interested in at this time. Right click on the CRT file and choose Install Certificate from the menu. This will install the certificate on your local machine.
Export the Certificate
At this point, the certificate is installed locally. Now, open up the Internet Information Services (IIS) Manager. One easy way to do this is to type inetmgr in the Windows Search bar. Then double-click on Server Certificates. This will take you to the Server Certificates screen which shows all of your locally installed server certificates. From here you can export the certificate.
Select the Export… option from the Actions panel on the right-hand side. This will take you to a dialog box.
Now, choose a directory and filename for your exported certificate. Note that the format for the certificate is now .PFX, which is exactly what we need. You must also set a password on your certificate. This step protects your certificate should it be intercepted while being transmitted to the remote server.
Upload the Certificate
At this point we have what we need to upload a new certificate to Azure. Once you have a certificate in the right format, installing through the Azure Portal is a relatively straight-forward task. I’ll leave those steps for the reader. If you need me to expand on them, please me leave a comment!
And that’s it for now! Please remember to Like and Share these posts on social media. And also remember that if you have feedback, questions or suggestions regarding this or other posts, please leave me a comment!