WS2016 essentials - renewing SSL wants a pfx file. Godaddy cert only has CRT PEM and P7B

You need to take the certificate from GoDaddy and run the certificate wizard on the same PC you used to generate the CSR to complete the process. You can then export the combined private and public keys into a .pfx file. If that server is the only one that needs the certificate, you don't even need to do that (though it's a good idea in case something happens to the server and you need to rebuild it).

Follow the instructions below to create the .pfx file.

Install your certificate in MMC

1. In your Windows search feature, enter mmc, and then select it to launch the Microsoft Management Console application.
2. Expand Certificates (Local Computer), Personal.
3. Right-click Certificates, and then go to the following menus: All Tasks > Import.
4. Select Next.
5. Browse for the SPC file — to find it, you'll need to change the file type to PKCS #7 Certificates (*.spc, *.p7b).
6. Select Next.
7. Select Place all certificates in the following store and ensure the value is Personal.
8. Select Finish.

9. Create the PFX file

   To create a PFX file (which you'll use with SignTool or Visual Studio), you need to combine your certificate file and your private key in MMC.
   1. In MMC, right-click your certificate (it will have your Common Name value displayed in the Issued To column), and then select Export.
   2. Select Next.
   3. Select Yes, export the private key.
   4. Under Personal Information Exchange..., select Include all certificates in the certification path if possible.
   5. Enter and confirm a strong password to secure the certificate, and then select Next.
   6. Browse to a location to store the combined file, and then select Next.
   7. Select Finish.
10. The PFX file is now stored locally on your computer.
    
    https://hk.godaddy.com/en/help/windows-install-codedriver-signing-certificate-and-create-pfx-file-2698

clarification: I did not do a CSR as this is a renewal and GoDaddy said I did not need to do CSR again even though it's expired as it's the same server and nothing has changed, Truth or lies?

I do not have an SPC file, only crt, pem, and p7b.  Will the p7b work?

By GoDaddy's own admission, they are not compatible with Window servers as is.  They are now telling me to rekey and use google to convert their cert, after previously saying a new CSR was not necessary.  Is there another recommended provider who is Windows compatible with pfx?

Yes, the .p7b will work, but I don't know how you will import the file if there is no outstanding CSR.

I don't know who you talked to at GoDaddy, but their certs certainly *are* Windows compatible.
They should allow you to "rekey" for free. That simply means that you generate a new CSR (for the same common name) and submit. Then, once you get the .p7b back, you can Complete the Certificate request.
Here are their instructions for Windows 10:
https://ca.godaddy.com/help/manually-install-an-ssl-certificate-on-my-iis-10-server-27349

I talked to an SSL representative at GoDaddy.  From my perspective it is incumbent on an SSL provider to consider the processes used in popular formats to import their certs.  Windows must certainly be considered a popular format.  It seems ridiculous to me that this is not more straightforward.  Windows 10 will not be the same because these essential servers use wizards to configure things like remote access and VPN, and their process wants a PFX file.  It's partly a Microsoft miss as well, but is there an SSL provider that provides these PFX files that Windows wants? 

The provider cannot give you a .pfx because the .pfx contains the private key of the certificate.
The private key is created when you generate the CSR and is stored only on the server that you generate it on (unless you export it). What the providers sends back to you is the public key, which then needs to be merged with the private key (that's why you need to complete the request on the same server that you generated the CSR).

So, the person at GoDaddy that said a new CSR was not necessary because it was a renewal on the same server is wrong?  Or is there a way to get an existing private key from the same server and somehow combine it with the renewed cert they sent me to create the pfx needed?

On your server, double click the .p7b file and install the cert. Then, you can export the cert in Windows Cert Manager to a .pfx file.

https://readyxrm.blog/2020/04/25/convert-a-cer-or-p7b-ssl-certificate-to-a-pfx-for-power-apps-portals-or-other-projects/

@davebo4503 ... I believe he is incorrect. Installing the .p7b file will probably fail without a matching CSR.
When the first certificate was installed on the server, the original CSR was removed.

When I double click the p7b file on my server, in certmgr under certificates I see 2 items:
One says GoDaddy Root Ceritifcate Authority - G2 -expiration date is 5/30/31
the other says GoDaddy Secure Cetificate Authority - G2 - expiration date 5/3/31

Not sure which I would install?  I can just rekey the new cert and try it that way.  To my point though, this should be MUCH easier and further appears to be open to interpretation, of which I am getting different perspectives from different sides.

GoDaddy Secure Certificate Authority should be the correct one as you will not expose your root cert to the Internet.

Those are not web server certificates - one is a root CA certificate, and the other sounds like it's an intermediate certificate. Those should already exist on your server - one in the Root Certificate Store, and the other in the Intermediate Certificate Store.

I rekeyed the cert and now server wants a .cer file, which GoDaddy also doesn't provide.

So I did this, and it seems to have completed.  Crossing fingers - thanks.

Convert your .crt file to a .cer file

1. Locate your downloaded .crt file, and double-click to open it.
2. Select the Details tab, and then the Copy to File button.
3. Select Next in the Certificate Wizard.
4. Select Base-64 encoded X.509(.CER) and then select Next.
5. Select Browse, locate where you want to save your .CER file, and type in a name for your certificate.
6. Select Next and then Finished.

Open up the certificate in the MMC console.
Make sure that at the bottom it says "You have a private key for this certificate".

Don't forget to update your IIS site bindings to point to the new certificate.

Yes it says you have a private key.  How to update site bindings?  I'm guessing the setup wizard will have done - is there a way to confirm?

Open up Inetmgr and expand to the default web site.
Right-click and select edit bindings.
Update the HTTPS binding.
Select the new certificate.
Click View... to make sure you are selecting the correct one.