The key is needed to upload the new certificate bundle. They (GoDaddy, etc) does not give the key. This should already be available on the server.
In the event, the key is not available, you can get the key from the existing PFX:
openssl pkcs12 -in domain.tld-2024.pfx -nocerts -out domain.tld-2025.key
Or if you want to see the cert without the key:
openssl pkcs12 -in domain.tld-2024.pfx -nokeys -out domain.tld-2025.crt
Now that you have the key, you can use it to create a new bundle (PFX):
openssl pkcs12 -inkey domain.tld-2025.key -in 83e439847333e341.crt -export -out domain.tld-2025.pfx
Now with the PFX, this can be uploaded and binded to the services. Following the KB here:
Expired Certificate on Exchange 2013
You can use the DigiCertUtil.exe to do some help with:
-export certificate.
-test key.
-view certificate.
-repair certificate.
-create csr.
-import certificate.
-check signature.
-check the chain.
-check the install.
Notes:
If using pem format and want to keep the bundle (crt & key):
openssl pkcs12 -in file.pfx -out file.withkey.pem
openssl rsa -in file.withkey.pem -out file.key
cat file.nokey.pem file.key > file.combo.pem
https://www.digicert.com/support/tools/certificate-utility-for-windows