I have a GoDaddy-issued SSL certificate in the .crt format. Also I have the previous expired certificate in the .pfx format which includes a private key.

Now I'm facing the problem of joining the original private key with the issued certificate to form a .pfx file suitable for installation into the Windows certificate store.

I followed steps that I used successfuly in a similar situation for producing a code signing certificate (documented in this Q/A pair on SO). The resulting certificate works for HTTPS, but not for WCF's Net.Tcp endpoints. When such endpoint is used, it fails to initialize due to the following error:

ArgumentException: It is likely that certificate 'CN=domain.com, O="Company", L=Abc, S=Abc, C=XY' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.

Some sources claim that it's necessary to use www.domain.com instead of domain.com. While this can be the issue in some cases, it proved not to be the root cause in my case.

What can be the root cause of this problem and how to get it fixed?

The problem is the certificate created from a .spc as an intermediary format, as resulting from following the steps in this answer, leads to loss of the KeyExchange flag.

The correct way to join the .crt with a private key is to use a private key in the .pem format, like this:

1. Obtain your new Ssl.crt certificate from GoDaddy.

2. Export a PEM-formatted private key from the expired PFX:

   openssl.exe pkcs12 -in ExpiredSslCert.pfx -nocerts -out SslPrivateKey.pem
   

3. Combine the CRT and PEM into PFX:

   openssl.exe pkcs12 -export -in SslCert.crt -inkey SslPrivateKey.pem -out FullCert.pfx
   

The resulting .pfx now has the KeyExchange flag and works for WCF Net.Tcp bindings.