Installing certificate via IIS manager
After you receive the issued certificate, you can use the Internet Information Services Manager to install the certificate on a Microsoft IIS 7 server. The method described below will work only if the certificate request was generated on the same machine using IIS Manager. Please follow the process described below:
- Once the certificate is issued and sent to you by the Certificate Authority, save it to the accessible location on your server.
You can also download the certificate in your account with us. The downloaded zip file will have a *.p7b file which can be used for the certificate installation on IIS. - Open Internet Information Services Manager. For this, go to the Start menu, choose Administrative Tools and select Internet Information Services (IIS) Manager. Otherwise, access it via Win+R >> inetmgr >> OK.
- Click on the required server name and go to the Server Certificates option in the center menu.
- Press the Complete Certificate Request button in the Actions right-side section.
- This will run the Complete certificate request wizard. Select the certificate file from the Certificate Authority you saved on your machine and give a ‘Friendly name’ to the certificate. Friendly name is not a part of the certificate. It is a local name that you can give to the certificate to distinguish it among the other certificates on the server. After the file is selected and the friendly name is entered, click OK.If you are importing the certificate in the PEM-encoded format (the file extension will be *.crt), you may also need to import intermediate and root certificates to the server using Microsoft Management Console. The certificates in the PKCS#7 format (*.cer and *.p7b files) do not require additional actions for importing intermediate certificates separately. Note: There is a chance you may receive an error “Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created” or “ASN1 bad tag value met” when importing the certificate.
To fix it, please cancel the dialogue window of the certificate wizard and press F5 to refresh the list of server certificates. You will see that the certificate is imported, but it will not have a Friendly name. You will be able to assign it to the certificate using MMC.
- The imported certificate is now shown in the list of Server Certificates. Now you will need to assign the certificate to the website.
- In the Connections left-side menu, select you webserver, expand the Sites menu and choose the website you want to assign the certificate to. After that, click on the Bindings option in the Actions section.
- In the Site Bindings window, click Add.
- In the Add Site Binding window, choose the following parameters:
Type – https;
IP address – All Unassigned, or your IP address;
Port – 443;
SSL certificate – friendly name of the imported certificate.
After all details are selected, click OK button.
- The new binding has been successfully created.
If the site already has https enabled, and if you want to update the SSL certificate, you will need to choose the Edit button in binding for port 443, select a friendly name for the new certificate from the dropdown list and click OK to apply the changes.
The certificate is now installed. If https connection is still not accessible, you may need to restart the website. You can check the certificate installation via https://decoder.link.
Importing PFX file
Create PFX file
If you have the private key in PEM format (.key file), you need to generate the certificate in PKCS#12 format (.pfx).
Use this tool to generate the certificate in PKCS#12. Use your certificate with .crt extension, CA bundle with .ca-bundle extension and the saved key with .key extension.
If there’s an OpenSSL client installed on the server, you can create PFX file out of a certificate in PEM format (.pem, .crt, .cer) or PKCS#7/P7B format (.p7b, .p7c) and the private key using the following commands.
PEM (.pem, .crt, .cer) to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile more.crt
*where “more.crt” is the name of the CA Bundle file
PKCS7/P7B (.p7b, .p7c) to PFX
P7B file must be converted to PEM first:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
Next, run:
openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.crt -certfile more.crt
*where “more.crt” is the name of the CA Bundle file
Then import the certificate with .pfx format to your Windows server.
Import PFX using MMC
- Add Certificates (Local Computer) snap-in to MMC following the steps described above.
- Once added, right-click on the Personal store >> All Tasks >> Import.
- The Certificate Import Wizard will be launched, press Next.
- Using the Browse button choose the .pfx file which you want to import on your server, press Next.
- Enter the PFX file password. It was specified during creation of the .pfx file. You may select Mark this key as exportable to have an opportunity to export the certificate with the private key from this server later. Then click Next.
- In the next dialogue window choose Automatically select the certificate store based on the type of certificate. This will allow MMC to place the certificates from the .pfx file to the corresponding folders if the file also contains intermediate certificates. Click Next.
- Click Finish. The certificate has been imported to the server and can be now assigned to the website.
Import PFX using IIS Manager
- Launch Internet Information Services Manager (Start > Administrative Tools >> Internet Information Services (IIS) Manager), and choose the server the certificate should be imported on.
- Double-click Server Certificates in the center menu.
- Click the Import button in the right-side menu:
- Locate the PFX file on your machine and specify the password that was used when exporting the certificate. Optionally, you may check Allow this certificate to be exported. Then, click OK:
Assigning a certificate for a website
Once the certificate was imported by any of the methods described above, it will be shown in the list of server certificates in IIS Manager and can be assigned to existing website using IIS.