Knowledge Base
How to Install and Bind a Server Certificate Using Certutil on Windows?
Overview
This guide explains how to install a TLS/SSL server certificate into the Windows Certificate Store, verify that it is correctly linked to its private key, and bind it to common Windows services.
Prerequisites
Before starting, confirm the following:
-
You are logged in to the target Windows server
-
You have Local Administrator privileges
-
The certificate files are available on the server:
-
Server certificate (for example: your_domain.cer)
-
Intermediate certificate(s) from the Certificate Authority
-
The private key already exists on this server (the CSR was generated here)
Procedure:
Step 1: Install the Intermediate Certificate(s)
Intermediate certificates must be installed first, so Windows can build a complete trust chain.
Open Command Prompt as Administrator
Run the following command:
1 certutil -addstore CA intermediate_certificate.cer
2
Confirm the command completes successfully
Expected result: The intermediate certificate is added to the Intermediate Certification Authorities store.
Step 2: Install the Server Certificate
In the same Administrator Command Prompt, run:
1 certutil -addstore MY server_certificate.cer
2
Confirm the certificate is added successfully
Expected result: The server certificate appears in the Personal (MY) certificate store.
Step 3: Verify the Certificate Has a Private Key
A server certificate must be linked to its private key to function.
-
List certificates in the Personal store:
1 certutil -store MY
2
-
Locate your certificate by Subject or Serial Number
-
Verify the output includes:
1 Private key is present
2
If the private key is present, the certificate is ready to be bound.
Step 4: Repair the Certificate (If Required)
If the certificate does not show a private key but the key exists on the server, you can attempt to re‑associate it.
Note the certificate Serial Number from the previous output
Run:
1 certutil -repairstore MY "SerialNumber"
2
Re‑run certutil -store MY to confirm the private key is now present
Step 5: Verify the Certificate Chain
To confirm the certificate chain is complete and trusted:
1 certutil -verify -urlfetch server_certificate.cer
2
Expected result: Output ends with:
1 Certificate is valid
2
Step 6: Verify Using Certificate Manager (MMC)
You can visually confirm the installation using Microsoft Management Console.
-
Press Win + R, type mmc, click OK
-
Go to File → Add/Remove Snap‑in
-
Add Certificates → Computer account
-
Navigate to:
-
Personal → Certificates
-
Select your certificate and confirm:
-
A key icon is present
-
The Certificate Path tab shows no errors
Step 7: Bind the Certificate to a Service (General Examples)
After installation, the certificate must be bound to the service that will use HTTPS.
Example A: IIS (Web Server)
-
Open Internet Information Services (IIS) Manager
-
Select the target website
-
Click Bindings…
-
Add or edit an HTTPS binding
-
Select the installed certificate from the list
-
Click OK and restart the site if prompted
Example B: HTTP.sys / Windows Service
Applications that rely on HTTP.sys (for example, custom services) typically bind certificates using a certificate thumbprint.
Common binding elements include:
-
IP address and port (for example, 0.0.0.0:443)
-
Certificate thumbprint
-
Certificate store name (MY)
Refer to your application or vendor documentation for the exact binding command.
Completion
Your server certificate is now:
-
Installed in the Windows Certificate Store
-
Linked to its private key
-
Validated with a complete trust chain
-
Ready and bound for HTTPS use
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
