bg-tutorials

How to Install an SSL Certificate on IIS 10 & other versions

This guide shows you how to install an SSL certificate on Microsoft IIS (Internet Information Services) on Windows Server. It covers both ways a certificate reaches IIS: completing a pending request from a .cer or .p7b file, and importing a .pfx file that already contains the private key. It also includes a PowerShell method and the binding step that actually serves the certificate.

Generate a CSR code

Before you can install a certificate, you need a CSR (Certificate Signing Request) and its matching private key. You have two options:

  • Generate the CSR automatically with our CSR Generator. If you create the CSR outside IIS this way, the private key is generated outside IIS too, so you will later combine the issued certificate and key into a .pfx file. See how to import and export a PFX file in IIS.
  • Generate the CSR on the server itself by following our tutorial on how to generate a CSR on IIS. The private key stays on the server, and the CA returns a .cer or .p7b file you complete in IIS.

Submit the CSR to the Certificate Authority during your order. After the CA validates it and issues the certificate, continue with the installation below.

Pre-installation: which file do you have?

The installation path depends on how the CSR was generated. Identify your situation first, then use the matching method:

  • You generated the CSR in IIS and the CA sent back a .cer or .p7b file. The private key already exists on this server as a pending request, so you use Complete Certificate Request (Option 1 below).
  • You generated the CSR elsewhere (OpenSSL, cPanel, the CSR Generator, or a different server) and you have a .pfx file that bundles the certificate and its private key. You use Import (Option 2 below).

This distinction matters because a certificate without its private key will install into Server Certificates but will not appear in the binding dropdown, so it cannot serve HTTPS.

Install an SSL certificate on IIS 10 / IIS 8 / IIS 8.5 (Windows Server 2012-2025)

IIS 8 and later share the same Manager interface and the same process. If you run Windows Server 2012, 2012 R2, 2016, 2019, 2022, or 2025, this is your section.

Option 1: you created the CSR in IIS (.cer or .p7b file)

Step 1: Save the certificate file

Download the certificate file the CA issued (usually .cer or .p7b) and save it to the server, for example to the desktop or any folder you can browse to.

Step 2: Open IIS Manager

Open IIS Manager using either method:

  • Press Win + R, type inetmgr, and press Enter, or
  • Go to Start > Windows Administrative Tools > Internet Information Services (IIS) Manager.

Step 3: Complete the certificate request

  • In the Connections panel on the left, select your server name.
  • In the center panel, double-click Server Certificates.
  • In the Actions panel on the right, click Complete Certificate Request.

In the dialog that opens:

  • File name: browse to and select your .cer or .p7b file.
  • Friendly name: enter a label that identifies the certificate later, for example yourdomain.com 2026. The friendly name is just a label; it does not have to match the domain.
  • Certificate store: choose Personal. If you manage many certificates across many sites, you can choose Web Hosting instead.
  • Click OK.

If you see the error Cannot find the certificate request that is associated with this certificate file, the certificate does not match any pending CSR on this server. That usually means the CSR was generated somewhere else. Skip this option and use the .pfx import in Option 2.

Step 4: Bind the certificate to your site

Completing the request stores the certificate, but IIS only serves it once you attach it to a site through a binding:

  • In the Connections panel, expand Sites.
  • Select your website (for example Default Web Site).
  • In the Actions panel, click Bindings.
  • In the Site Bindings window, click Add.

Configure the binding:

  • Type: https
  • IP address: All Unassigned, or a specific IP
  • Port: 443
  • Host name: your domain (for example www.example.com)
  • Tick Require Server Name Indication if you host more than one HTTPS site on the same IP and port. SNI lets each host name present its own certificate.
  • SSL certificate: select the friendly name you just added.

Click OK, then close the bindings window. IIS starts serving HTTPS immediately; you do not need to restart the server.

Option 2: you have a .pfx file (CSR created outside IIS)

If the certificate came from another tool or server, import the .pfx file, which contains both the certificate and its private key.

Step 1: Import the certificate

  • Open IIS Manager, select your server name, and double-click Server Certificates.
  • In the Actions panel, click Import.
  • Browse to your .pfx file and enter the password set when the file was exported.
  • Choose the Personal certificate store (or Web Hosting) and click OK.

Step 2: Bind the certificate to your site

This is the same binding step as Option 1:

  • In Connections, expand Sites and select your website.
  • In the Actions panel, click Bindings, then Add.
  • Set Type to https, Port to 443, the IP address and Host name as needed, and tick Require Server Name Indication if you run several HTTPS sites on one IP.
  • Under SSL certificate, choose the certificate you just imported, then click OK and close.

Your site is now live on HTTPS. No restart is required.

Intermediate certificates (optional but recommended)

Windows usually builds the certificate chain automatically from its system store. If a client reports an incomplete chain (for example, the certificate works in a desktop browser but fails on mobile or in API calls), install the intermediate certificates manually:

  • Press Win + R, type mmc, and press Enter.
  • Go to File > Add/Remove Snap-in > Certificates > Add.
  • Choose Computer account > Next > Finish > OK.
  • Expand Intermediate Certification Authorities > Certificates.
  • Right-click Certificates, choose All Tasks > Import, and import the intermediate .crt or .p7b file from the CA.

Install with PowerShell (any modern IIS)

If you automate deployments or prefer the command line, you can import a .pfx and create the binding from an elevated PowerShell session. Run PowerShell as Administrator on the server.

First, import the .pfx into the Local Machine personal store and capture its thumbprint:

$pfxPath = "C:\certs\yourdomain.pfx"
$pfxPass = Read-Host "PFX password" -AsSecureString
$cert = Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation Cert:\LocalMachine\My -Password $pfxPass
$cert.Thumbprint

Next, load the IIS module, add an https binding on port 443, and attach the certificate by its thumbprint:

Import-Module WebAdministration

New-WebBinding -Name "Default Web Site" -Protocol https -Port 443 -HostHeader "www.example.com" -SslFlags 1

$binding = Get-WebBinding -Name "Default Web Site" -Protocol https
$binding.AddSslCertificate($cert.Thumbprint, "My")

Replace Default Web Site with your site name and www.example.com with your host name. The -SslFlags 1 value enables SNI; omit it (and the -HostHeader) for a single-certificate, IP-based binding. The store name My is the Personal store you imported into above. To verify the result, list the bindings with Get-WebBinding, or check the HTTP.sys layer with netsh http show sslcert.

Install an SSL certificate on IIS 7 (Windows Server 2008 / 2008 R2)

The core steps match IIS 8 and 10, but the interface is older. Windows Server 2008 and 2008 R2 are past end of support, so move these workloads to a supported Windows Server release when you can. To install on IIS 7:

  • Open IIS Manager, select the server name, double-click Server Certificates, and click Complete Certificate Request (or Import for a .pfx).
  • If completing the request appears to fail, press F5 on the Server Certificates screen to refresh; the certificate often installed despite the message.
  • If it still fails, import a .pfx instead, as in Option 2 above.
  • Bind the certificate the same way: Sites > your site > Bindings > Add, type https on port 443, then select the certificate.

Install an SSL certificate on IIS 5 & 6 (deprecated)

IIS 5 and 6 are long past end of support and should not run public sites. Use this section only if you are maintaining legacy infrastructure you cannot yet replace:

  • Go to Start > Administrative Tools > Internet Information Services (IIS) Manager.
  • Right-click your site, choose Properties, and open the Directory Security tab.
  • Click Server Certificate to start the Web Server Certificate Wizard.
  • Choose Process the pending request and install the certificate.
  • Locate your .cer file and finish the wizard.
  • Restart the site so it serves HTTPS.

If intermediates are not trusted, import them manually through MMC, as described above.

Test the SSL installation

After installing, scan the certificate to confirm it is served correctly and the chain is complete. Open your site over https:// and check the padlock, then run a deeper check with our SSL Checker for an instant report on the certificate, chain, and protocol support.

Frequently Asked Questions

Where is the SSL certificate on IIS?

Open IIS Manager from Start > Windows Administrative Tools > Internet Information Services (IIS) Manager. Select the server name in the Connections panel, then double-click Server Certificates to list every certificate installed on the server.

How do I update or renew an SSL certificate on IIS?

Renewing a certificate means issuing and installing a new one. Generate a fresh CSR, order the renewal, then complete the request or import the new .pfx in Server Certificates. In your site’s Bindings, edit the https binding and select the new certificate. Public SSL/TLS certificates are currently capped at about one year (398 days), so plan to repeat this each year, or automate renewals with ACME.

Why is my certificate not showing in the IIS binding dropdown?

The most common cause is a missing private key. If you complete a certificate request with a file that does not match a pending CSR on this server, IIS imports the certificate without a private key, so it appears in Server Certificates but not in the binding dropdown. Import the .pfx that contains the private key instead, then bind it.

What is the difference between Complete Certificate Request and Import in IIS?

Complete Certificate Request finishes a CSR that was generated on this server: it pairs the issued .cer or .p7b file with the private key already waiting as a pending request. Import brings in a .pfx file that already bundles the certificate and its private key, which is what you use when the CSR was generated elsewhere.

Do I need to restart IIS after installing a certificate?

No. Once you add the https binding and select the certificate, IIS serves HTTPS immediately. A restart is only needed in the deprecated IIS 5 and 6 workflow.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.