How to install a PFX certificate on Microsoft IIS and binding it to a website?

 

Overview: 

This knowledge base article provides step-by-step instructions to install a PFX (.pfx / .p12) certificate on a Windows server and bind it to a website in Internet Information Services (IIS) to enable HTTPS. 

Scope 

Applies to: 

• Windows Server 2016 / 2019 / 2022 

• IIS 10.x 

• Certificates in PFX format containing: 

• Public certificate 

• Private key 

• (Optional) Intermediate certificate chain 

 

Prerequisites:

• Local Administrator access to the Windows server 

• IIS installed and configured 

• PFX certificate file 

• PFX password 

• Website already created in IIS 

• Port 443 open on firewall/load balancer

 

 Steps to install a PFX certificate in IIS platform:

 

Section 1: Install the PFX Certificate 

Step 1: Open IIS Manager 

1. Log in to the Windows server 

2. Open Server Manager 

3. Navigate to 
   Tools → Internet Information Services (IIS) Manager 

 

Step 2: Import the PFX Certificate 

1. In IIS Manager, select the server name (top of left pane) 

2. Double-click Server Certificates 

3. Click Import in the right-hand Actions pane 

4. Configure: 

• Certificate File: Browse to the .pfx file 

• Password: Enter PFX password 

• Select “Allow this certificate to be exported” (recommended) 

5. Click OK 

✔ The certificate should now appear in the Server Certificates list. 

 

Section 2: Bind Certificate to IIS Website 

 

Step 1: Open Site Bindings 

1. In IIS Manager, expand Sites 

2. Select the target website 

3. Click Bindingsin the Actions pane 

 

Step 2: Add or Edit HTTPS Binding 

1. Click Add (or Editif HTTPS already exists) 

2. Configure: 

• Type: https 

• IP Address: All Unassigned (or specific IP if required) 

• Port: 443 

• Host name: 

• Leave blank for default 

• Enter FQDN if using SNI 

• SSL Certificate: Select the imported certificate 

3. Click OK 

4. Click Close 

 

Section 3: Verify Certificate Installation 

 

Browser Verification 

1. Open a browser 

2. Navigate to: 

3. https://yourdomain.com 

4. Confirm: 

• No certificate warnings 

• Correct CN/SAN 

• Valid expiration date 

• Trusted certificate chain 

 

Windows Verification 

1. Open MMC 

2. Add Certificates → Computer Account 

3. Navigate to: 

4. Personal → Certificates 

5. Confirm the certificate shows: 

• Private key icon 

• “You have a private key that corresponds to this certificate” 

 

Section 4: Troubleshooting 

 

Issue	Resolution
Certificate not visible in IIS	Ensure PFX includes private key
HTTPS binding fails	Confirm port 443 is free
Browser shows untrusted	Install intermediate certificates
Wrong certificate used	Check SNI and hostname
“No private key” error	Re-import PFX correctly

 

Best Practices 

• Always include SANs for all hostnames 

• Use 2048-bit RSA or ECDSA certificates 

• Keep a secure backup of PFX files 

• Renew certificates before expiration 

• Use SNI for multi-site servers 

 

Security Notes 

• Protect PFX files with strong passwords 

• Delete PFX files after installation 

• Restrict access to certificate private keys 

 

Related Articles:  How to Add a Cross-Sign Certificate to the Chain on Windows Platform (IIS)

Tags: