OH MY FREAKING GOODNESS!!! THAT WAS IT!!! I cleared the custom CSR, re-requested the certificate with the “new” settings, imported the new PFX into the store and everything is working beautifully now. I don’t even remember why I put the custom CSR in there in the first place, but I sure as heck know better now!
I’m now going to go hang my head in the corner wearing the cone of shame!
stupid IIS
Ah yes, I was just reading through your replies and saw the Custom CSR. A CSR says “I have a private key, here is a public key using that and this is the required subject names etc” and normally the PFX we build is using the private key we generate instead. The Custom CSR option is really just there for appliances and things that don’t let you use your own private key (like SAP application servers etc).
There may be a way to export the private key used in the original CSR (depending on what generated the CSR) and then use that to reconstitute a working portable PFX, but it won’t work like that without a custom PFX build (and a copy of the private key).
Glad you got it working!
Regarding your deployment steps, I would encourage you to try scripting a deployment task to export (and possibly remotely import and bind) the PFX, that way the renewal is all neatly bundled into one managed certificate (even though the deployment spans multiple machines) and individual deployment task failures can be logged as part of the renewal status log, but whatever deployment process you’re comfortable with is fine. As mentioned, CCS is quite good for distributing a cert to multiple IIS installs because they all just pick up the latest cert when they see it and the only thing that has to work is the file copy.
Thanks. I could’ve sworn that was exactly the same configuration I had the last time I got my certs but, apparently I must’ve added the CSR after the first success. I should know better than to mess with something that works.
As for my deployment, I’m bundling all four of my endpoints’ deployment steps in a single console application that uses a web API method for the SonicWALL, the Web.Management library for IIS, and then scraping a web site’s HTML for WS_FTP (I’ve not been able to find any sort of tools to make that easier). I’m trying to make it “generic” enough that anyone else could use it, but I’m just building this so I have a centralized place to get all of the certs deployed at once.
What I’ll probably end up doing is pass command-line parameters into my console app directly from a Certify post-request deployment task to have it push the certificate out to the endpoints immediately. For now, though, I’m running the application manually to finalize everything and make sure it all works. I already got the SonicWALL deployment working and, now that this issue is resolved, the IIS deployment seems to be working. All I have left to finalize is the WS_FTP deployment, which is all but done already. Now comes the hard part… DOCUMENTATION!!! 
