The encryption of the passwords for the SqlMEmbershipProvider has nothing to do with a certificate.
Encrypted and Hashed passwords are encrypted or hashed by default based on information supplied in the machineKey element in your configuration. Note that if you specify a value of 3DES for the validation attribute, or if no value is specified, hashed passwords will be hashed using the SHA1 algorithm.
A custom hash algorithm can be defined using the hashAlgorithmType attribute of the membership Element (ASP.NET Settings Schema) configuration element. If you choose encryption, default password encryption uses AES. You can change the encryption algorithm by setting the decryption attribute of the machineKey configuration element. If you are encrypting passwords, you must provide an explicit value for the decryptionKey attribute in the machineKey element. The default value of AutoGenerate for the decryptionKey attribute is not supported when using encrypted passwords with ASP.NET Membership.
Microsoft Docs: SqlMembershipProvider.PasswordFormat Property
Have a look at your web.config file. Is there a section? Are there any values in there?
Make sure the new server has exactly the save values!
If there is no section or no values...
You must have access to the old server once again!
After a bit of digging in the current 4.5 framework, turns out that the auto generated keys are stored in HttpApplication.s_autogenKeys byte array. The validation key is the first 64 bytes, followed by 24 bytes of the decryption key.
@Mr-Curious has written a nice answer on how to resolve the values (keys) for the machineKey section if they are not existent (AutoGenerated).
