Updated on 2023-07-26 GMT+08:00

Installing a Private Certificate on an IIS Server

This topic describes how to install a private certificate on an IIS server.

The installation procedure in this topic is for your reference only as the commands executed and configuration file modified during the installation may vary depending on OS types and server configurations.

Prerequisites

  • The certificate has been issued.
  • You have downloaded the private certificate in the format that is supported by IIS. For details, see Downloading a Certificate.
  • You have used a system-generated CSR to apply for the certificate.

Constraints

  • Before installing the certificate, enable port 443 on the server where the private certificate is installed and add port 443 to the security group. Otherwise, HTTPS cannot be enabled after the installation.
  • A root CA must be added to the trusted client CA list so that all server certificates issued by the root CA can be trusted by the client. For details, see Trusting a Private Root CA.
  • If a domain name maps to multiple servers, deploy the certificate on each server.
  • A private certificate can only be installed on the server that maps to the domain name associated with the certificate. Otherwise, the web browser will display a message indicating that the domain name is insecure.

Procedure

To install a private certificate on an IIS server, perform the following steps:

Step 1: Obtaining FilesStep 2: Configuring IISStep 3: Verifying the Result

Step 1: Obtaining Files

Decompress the downloaded certificate file on your local PC.

You will obtain certificate file server.pfx and password file keystorePass.txt.

Step 2: Configuring IIS

  1. Install IIS as instructed by IIS guides.
  2. Open the IIS management console, double-click Server Certificates.
    Figure 1 Double-clicking Server Certificates
  3. In the displayed dialog box, click Import.
    Figure 2 Import
  4. Import the server.pfx certificate file. Then click OK.

    In the Password box, enter the password provided in the keystorePass.txt file.

    Figure 3 Importing a PFX certificate file
  5. Right-click the target site (the default site is used as an example). Choose Edit Bindings from the shortcut menu.
    Figure 4 Choosing Edit Bindings
  6. In the dialog box that is displayed, click Add. Then enter the following information.
    Figure 5 Binding a website
    • Type: Select https.
    • Port: Retain the default port 443.
    • SSL certificate: Select the certificate imported in 4.
  7. Click OK.

Verifying the Result

After the deployment succeeds, in the address bar of the browser, enter https://Domain name and press Enter.

If a security padlock is displayed in the address bar of the browser, the certificate has been installed successfully.