Contact us at |support@ssldragon.com
  • export a PFX file in IIS

How to import and export a PFX file in IIS?

Friday, March 12th, 2021

Windows servers store the SSL certificate file (public key) and the associated private key file in PFX format. For an SSL certificate to function, you need both public and private keys. If you need to transfer SSL server security certificates from one server to another, you need to create a .pfx backup. This guide explains how to import and export a PFX file in IIS. Please note, before adding the PFX file into IIS, you must install the SSL certificate. But first, let’s see what a PFX file is and why do you need it?

What is a PFX file?

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are typically found with the extensions .pfx and .p12. PFX files are generally used on Windows and macOS machines to import and export certificates and private keys.

Now that you know what’s the deal with PFX files, it’s time to export them to IIS.

Step 1: Prepare your PFX file

After the CA delivers all the necessary files to you via email, you need to download the ZIP archive and extract its contents on your machine. Depending on your CA and vendor, you may have the option to download the files in the desired format. If the files provided by the CA are not in PFX format you can use an online tool to convert them.

Step 2: Export the PFX file to IIS

  1. From the Start menu, type MMC, and click OK
  2. In the User Account Control window, click Yes
  3. In the Console window, in the menu at the top, click File > Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, under Available snap-ins click Certificates and then, click Add.
  5. In the Certificates snap-in window, choose Computer account and then, click Next.
  6. In the Select Computer window, select Local computer: (computer this console is running on), and then, click Finish.
  7. In the Add or Remove Snap-ins window, click OK.
  8. From the Console window, from the Console Root folder, expand Certificates (Local Computer) (the certificate file will be in Personal or Web Hosting folder).
  9. Right-click on the certificate file which you want to export and then click All Tasks > Exports
  10. On the Welcome to the Certificate Export Wizard page, click Next.
  11. From the Export Private Key page, select Yes, export the private key, and then, click Next.
  12. On the Export File Format page, select Personal Information Exchange, choose Include all certificates in the certification path if possible, and then, click Next.
  13. In the security window, enter a password and click Next
  14. Browse the location of the file where you want to export the certificate and press Next.
  15. In the Completing the Certificate Export Wizard page, double-check that the settings are correct and then, click Finish.
  16. You should see “The export was successful” message.

Step 3: Import the PFX file

  1. From the Start menu, type MMC, and click OK
  2. In the User Account Control window, click Yes
  3. In the Console window, in the menu at the top, click File > Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, under Available snap-ins click Certificates and then, click Add.
  5. In the Certificates snap-in window, choose Computer account and then, click Next.
  6. In the Select Computer window, select Local computer: (computer this console is running on), and then, click Finish.
  7. In the Add or Remove Snap-ins window, click OK.
  8. From the Console window, from the Console Root folder, expand Certificates (Local Computer) (the certificate file will be in Personal or Web Hosting folder).
  9. Right-click on the certificate file which you want to import and then click All Tasks > Import
  10. On the Welcome to the Certificate Import Wizard page, click Next.
  11. Follow the instructions to import the primary SSL certificate from the PFX file
  12. On the Certificate Store page, select Automatically select the certificate store based on the type of certificate.
  13. Double-check your settings and then click Finish
  14. You should see “The import was successful” message.

Enable the SSL Certificate (no binding for HTTPS)

  1. From the start menu, search for Administrative Tools, open it, and double-click on Internet Information Services (IIS) Manager.
  2. Under Connections, expand your server’s name, expand Sites, and then, click the site that you want to encrypt.
  3. In the Actions menu, under Edit Site, click Bindings.
  4. In the Site Bindings window, click Add.
  5. In the Add Site Binding window, from the drop-down lists select: HTTPS, All Unassigned, and enter port 443.
  6. From the SSL certificate drop-down list, select the certificate you want to import
  7. Click OK and restart your IIS server

Enable the SSL certificate (has binding HTTPS)

  1. From the start menu, search for Administrative Tools, open it, and double-click on Internet Information Services (IIS) Manager.
  2. Under Connections, expand your server’s name, expand Sites, and then, click the site that you want to encrypt.
  3. In the Actions menu, under Edit Site, click Bindings.
  4. In the Site Bindings window, select binding for https, and then click Edit.
  5. From the IP address drop-down list select ALL Unassigned. For the port, enter 443. If you’re using SNI (Server Name Indication) enter the hostname you’re securing. From the SSL Certificate, drop-down list select the cert that you’ve imported.
  6. Click OK and restart your IIS server.