Install SSL on IIS

Convert your certificate to PFX format, import it into IIS Manager, and bind it to your site on port 443.

Before You Begin

You will need these three files from your SSL certificate download:

certificate.crtYour SSL certificate
private.keyYour private key - keep this secure
ca_bundle.crtCA bundle (intermediate certificates)

Installation Steps

  1. Convert to PFX

    IIS requires a .pfx file combining certificate and private key. Convert using OpenSSL.

    openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt
  2. Open IIS Manager

    Open IIS Manager from Server Manager or the Start menu and select your server name.

  3. Open Server Certificates

    Double-click Server Certificates in the IIS section panel.

  4. Import the PFX

    Click Import in the Actions pane, browse to your .pfx file, and enter the export password.

  5. Open Site Bindings

    Expand Sites, select your website, and click Bindings in the Actions pane.

  6. Add HTTPS binding

    Click Add, set Type to https, port 443, and select your imported certificate from the dropdown.

  7. Apply and verify

    Click OK, then browse to https://yourdomain.com to confirm the padlock appears.

Common Issues

The password you entered is incorrect
When importing the PFX, IIS requires the exact password you set during the OpenSSL export step. If you have forgotten the password, re-run the openssl pkcs12 -export command and set a new password.
Certificate does not appear in the dropdown
Verify that you imported the certificate under the correct server node in IIS Manager, not just into the local machine certificate store via MMC. Navigate to the server root, open Server Certificates, and import from there.
ERR_SSL_PROTOCOL_ERROR
TLS 1.2 may be disabled on your Windows server. Enable it through the registry or use the IIS Crypto tool (by Nartac Software) to enable TLS 1.2 and TLS 1.3 with one click.

Frequently Asked Questions

If you already have a .pfx file from your CA you can skip the conversion step. SSLs For Free provides separate certificate files, so the OpenSSL conversion step is required to combine them into a PFX that IIS can import.

Yes, IIS 8 and later support SNI. When adding the HTTPS binding, tick Require SNI so multiple sites on port 443 can each have their own certificate without conflicting.

Any OpenSSL 1.1.x or 3.x version works for the PFX conversion. You can download a Windows binary from slproweb.com, or use Git Bash which includes OpenSSL out of the box.

Certificate Installed? Set Up Expiry Monitoring.

Get an email reminder 14 days before your certificate expires - free, no account needed.