I did look at that guide but was curious because I’m just renewing the certificate, so no new csr. I get the cert from our pki portal in which I can use OpenSSL to convert or decrypt if I have to. Just don’t want to mess things up so looking for suggestions. When you installed the certificate, did you care which one you did first, or just did which ever and rebooted the server.

So I decided to just try a few things and see what works and wanted to share my steps.  I was able to use a certificate that was a renewal of the existing certificate that was currently installed.

 

1. Downloaded the device certificate (Base64 Encoded (.cer))
2. Export Intermediate and Root certificate: Used the cert utility to exported the intermediate certificate(s) and root certificate from the .cer in step 1. 
3. Create certificate chain (Certificate Chain(PEM-encoded)(Optional): Renamed the .cer to .pem and used a text editor to combine the intermediate cert and the root cert.  Intermediate(s) in order on the top and the root on the bottom.
   This is used to upload to StealthWatch under the SSL Certificates | SSL Server Identity | Certificate Chain(PEM-encoded)(Optional): 
4. Convert .cer to .pem (Target Certificate File(PEM-encoded): To generate the device certificate to .pem, I used the following openSSL command:
   openssl x509 -in <path>\<device cert>.cer -outform PEM -out <path>\<device cert>.pem
5. Extract the private key and then decrypt the private key (Private Key(Not Encrypted)(PEM-encoded): 
   1. openssl pkcs12 -in <path>\<device certificate>.pfx -nocerts -out <path>\<device certificate>-Key.key
   2. openssl pkcs12 -in <path>\<device certificate>.pfx -clcerts -nokeys -out <path>\<device certificate>.crt
   3. openssl rsa -in <path>\<device certificate>-Key.key -out .<path>\<device certificate>-decryptedKey.key
6. Upload certificate and the service will restart.