How to generate .pfx file for new/renewed SSL cert

Owned by Kevin Vogle, created
Last updated: Jul 08, 2022 by Marty Niessen
4 min read

An SSL cert is required to be in place for any Azure Commerce site as well as for the server hosting Unity in a customers local environment. Some customers purchase an SSL cert specifically for the front end Commerce site and then a separate cert for the Unity server and some purchase a single SSL cert that can be used by both (which is called a ‘wildcard’ cert and is more expensive). These SSL certs expire so it will be necessary for the customer to renew these as needed.

This document outlines what is needed when an SSL cert expiries or if one is being obtained for the first time (i.e. for a new customer). The SSL cert itself cannot be directly uploaded into Azure or on the Unity server in IIS because you must first generate a .pfx file from the cert and import that. There are likely numerous ways to do this so this document outlines one of those ways using a program called, DigiCert which is freely available online (https://www.digicert.com/support/tools/certificate-utility-for-windows).

The key to using DigiCert is that all the steps below must be completed on a single computer which doesn't have to be a server. A laptop or desktop computer can be used to complete these steps and then the .pfx file can then be uploaded to the appropriate places for importing into Azure or IIS. This example also uses GoDaddy to obtain the SSL cert but other options are available and should follow a similar process.

Instructions

  1. Purchase the SSL cert. Depending on the type of SSL cert (wild card or not), determines how this is done. Many customers purchase an SSL cert specifically for the front end site (i.e. shop.aspenware.com) and then a separate cert for the Unity server (i.e. unity.aspenware.com). Typically the SSL cert is tied to these names (unless it’s a wildcard cert) so an error would occur if you uploaded the cert obtained for shop.aspenware.com to the server hosting Unity (unity.aspenware.com).

  2. In GoDaddy, locate SSL cert and click ‘Re-Key your certificate’ in the Manage Certificate section

  3. In DigiCert, click Create CSR and fill out this form and click Generate:

     

     

     

     

  4. Copy the newly generated CSR (using the ‘Copy CSR’ button) and paste into GoDaddy. Click Add Change and then 'Submit all changes'.

     

  5. This will then generate a message indicating the process is pending. Once completed, on the same page in GoDaddy, locate the Download Certificate option and download after selecting IIS in the Server Type dropdown

  6. This will download a zip file to your local machine. Unzip it.

  7. In DigiCert, select ‘Import’ and locate the unzipped file you downloaded in the steps above.

     

  8. After importing, the cert should show in the main list of SSL Certificates. Click ‘Export Certificate’ and DigiCert will ask you to define a password for the .pfx file which will then also save to your local machine.

  9. Copy/paste or FTP the .pfx file to the appropriate server.

    1. If SSL Cert is for Azure, AW dev ops needs access to the .pfx file AND password in order to import it into the Azure web app.

    2. If SSL Cert is for Unity, the .pfx file can be imported using the IIS import tool in Server Certificates.

      Import the .pfx file and enter the password. This adds the cert to the server but does not ‘bind’ it to the site.

    3. Locate the site hosting Unity (may be the Default Web Site) and select Bindings. Click edit on ‘https’ (or add it) and select the recently imported certificate in the SSL certificate dropdown.