How to Install SSL Certificate on IIS 10 & Later

Introduction to IIS 10 SSL Installation

Microsoft Internet Information Services (IIS) 10 is the modern web server platform included with Windows Server 2016, 2019, 2022, and Windows 10/11. IIS 10 offers significant improvements in SSL/TLS management compared to earlier versions, including centralized certificate stores, Server Name Indication (SNI) support, and simplified binding management.

This comprehensive guide walks you through installing SSL certificates on IIS 10 and later versions—from generating a Certificate Signing Request (CSR) using IIS Manager or our CSR Generator, to configuring HTTPS bindings and verifying your installation with our SSL Checker.

What you'll learn:

• Generating CSR using IIS Manager or PowerShell
• Installing SSL certificates via IIS Manager
• Creating and importing PFX files
• Configuring HTTPS bindings with SNI
• Setting up HTTP to HTTPS redirects using URL Rewrite
• Managing multiple SSL sites on a single IP address
• Troubleshooting common IIS SSL errors

For legacy IIS versions (5.x and 6.x), see our guide on Installing SSL on IIS 5 & 6.

For a foundational understanding of SSL, see our guide on What is SSL and How SSL Works.

Prerequisites Checklist

Before starting the SSL installation, ensure you have:

• ✅ Windows Server 2016/2019/2022 or Windows 10/11 with IIS installed
• ✅ IIS Manager access - Administrative privileges on the server
• ✅ Web Server (IIS) role installed - Including Management Tools
• ✅ Domain pointed to server - DNS A record pointing to your server's IP address
• ✅ SSL certificate files - Your certificate (.cer/.crt), private key (.key), and CA bundle
• ✅ URL Rewrite module - For HTTP to HTTPS redirects (optional but recommended)

Verify IIS installation:

# Check IIS version
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\InetStp' | Select-Object VersionString
# Output: IIS 10.0

# Verify IIS is running
Get-Service W3SVC

Open IIS Manager:

• Press Windows + R, type inetmgr, press Enter
• Or: Server Manager → Tools → Internet Information Services (IIS) Manager

Understanding IIS 10 Certificate Management

IIS 10 offers multiple ways to manage SSL certificates:

Certificate Storage Locations

Key Features in IIS 10+

• Server Name Indication (SNI): Host multiple SSL sites on a single IP address
• Centralized Certificate Store (CCS): Share certificates across multiple IIS servers
• HTTP/2 Support: Modern protocol with SSL/TLS requirement
• TLS 1.3 Support: Latest security protocol (Windows Server 2022)
• PowerShell Management: Full automation capabilities

Step 1: Generate a Certificate Signing Request (CSR)

You have three options for CSR generation: IIS Manager, PowerShell, or our online tool.

Option A: Using My-SSL CSR Generator (Recommended)

The easiest method is using our free CSR Generator Tool:

1. Navigate to My-SSL CSR Generator
2. Enter your domain name (e.g., yourdomain.com)
3. Fill in organization details (name, city, state, country)
4. Add Subject Alternative Names (SANs) for additional domains if needed
5. Click Generate CSR
6. Save both the CSR and Private Key files securely

Important: Store your private key securely. You'll need it to create a PFX file for import into IIS.

Option B: Using IIS Manager

Generate a CSR directly within IIS Manager:

1. Open IIS Manager: Press Windows + R, type inetmgr, press Enter

1. Select Server: In the left panel, click on your server name

1. Open Server Certificates: Double-click Server Certificates in the center panel

1. Create Certificate Request: In the Actions panel (right side), click Create Certificate Request...

1. Enter Distinguished Name Properties:

• Common Name: Your fully qualified domain name (e.g., www.yourdomain.com)
• Organization: Legal company name
• Organizational Unit: Department (e.g., IT)
• City/Locality: Your city
• State/Province: Full state name
• Country/Region: Two-letter country code (e.g., US)

1. Cryptographic Service Provider Properties:

• Provider: Microsoft RSA SChannel Cryptographic Provider
• Bit Length: 2048 (minimum) or 4096 (recommended)

1. Save CSR File: Specify a filename (e.g., C:\certs\yourdomain.csr)

1. Click Finish: The CSR file is created

Verify your CSR using our CSR Decoder to ensure all details are correct before submitting to a Certificate Authority.

Option C: Using PowerShell

Generate a CSR using PowerShell for automation:

# Create certificate request INF file
$inf = @"
[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=yourdomain.com, O=Your Company, L=City, S=State, C=US"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
HashAlgorithm = SHA256

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
"@

# Save INF file
$inf | Out-File -FilePath "C:\certs\request.inf" -Encoding ASCII

# Generate CSR
certreq -new "C:\certs\request.inf" "C:\certs\yourdomain.csr"

Step 2: Order Your SSL Certificate

With your CSR ready, order an SSL certificate:

1. Choose the appropriate certificate type:

• DV SSL - Domain validation, fastest issuance
• OV SSL - Organization validation, business trust
• EV SSL - Extended validation, highest trust

1. Submit your CSR during the order process
2. Complete domain validation (email, DNS, or HTTP file)
3. Download your certificate files once issued

You'll typically receive:

• Primary certificate (yourdomain.crt or yourdomain.cer)
• Intermediate/CA Bundle (ca-bundle.crt)
• Root certificate (optional)

Learn more about SSL Certificate Types to choose the right option.

Step 3: Complete Certificate Request (IIS-Generated CSR)

If you generated your CSR using IIS Manager (Option B), complete the pending request:

1. Open IIS Manager: Press Windows + R, type inetmgr, press Enter

1. Select Server: Click on your server name in the left panel

1. Open Server Certificates: Double-click Server Certificates

1. Complete Certificate Request: In the Actions panel, click Complete Certificate Request...

1. Locate Certificate File: Browse to your downloaded certificate file (.cer or .crt)

1. Enter Friendly Name: Use a descriptive name (e.g., "yourdomain.com SSL 2025")

1. Select Certificate Store: Choose Web Hosting or Personal

1. Click OK: The certificate is installed

Verify Installation:

• The certificate should now appear in the Server Certificates list
• Check the expiration date and issuer details

Step 4: Install Certificate Using PFX File (External CSR)

If you generated your CSR using our CSR Generator or another external tool, you'll need to create a PFX file.

Create PFX Using Certificate Converter

1. Visit our Certificate Converter tool
2. Select PEM to PFX conversion
3. Upload your files:

• Certificate file (.crt)
• Private key file (.key)
• CA Bundle file (optional but recommended)

1. Set a strong password for the PFX
2. Download the .pfx file

Create PFX Using OpenSSL

# Combine certificate with CA bundle
cat yourdomain.crt ca-bundle.crt > fullchain.crt

# Create PFX file
openssl pkcs12 -export \
  -out yourdomain.pfx \
  -inkey private.key \
  -in fullchain.crt \
  -password pass:YourSecurePassword

Import PFX into IIS

1. Open IIS Manager: Press Windows + R, type inetmgr

1. Select Server: Click your server name

1. Open Server Certificates: Double-click Server Certificates

1. Import Certificate: In the Actions panel, click Import...

1. Browse to PFX File: Select your .pfx file

1. Enter Password: Type the password you set when creating the PFX

1. Select Certificate Store: Choose Web Hosting (recommended) or Personal

1. Allow Export (optional): Check if you want to export the certificate later

1. Click OK: The certificate is imported

Step 5: Bind SSL Certificate to Website

After installing the certificate, bind it to your website:

Using IIS Manager (GUI)

1. Expand Sites: In IIS Manager, expand your server → Sites

1. Select Your Website: Click on the website you want to secure

1. Open Bindings: In the Actions panel, click Bindings...

1. Add HTTPS Binding: Click Add...

1. Configure Binding:

• Type: https
• IP Address: All Unassigned (or specific IP)
• Port: 443
• Host name: yourdomain.com (required when using SNI)
• Require Server Name Indication: ✓ Check this box (recommended)
• SSL certificate: Select your installed certificate

1. Click OK: The HTTPS binding is created

1. Add www Binding (if needed): Repeat for www.yourdomain.com

Using PowerShell

# Get certificate thumbprint
$cert = Get-ChildItem -Path Cert:\LocalMachine\WebHosting | Where-Object {$_.Subject -like "*yourdomain.com*"}

# Create HTTPS binding with SNI
New-WebBinding -Name "YourSiteName" -Protocol "https" -Port 443 -HostHeader "yourdomain.com" -SslFlags 1

# Bind certificate to site
$binding = Get-WebBinding -Name "YourSiteName" -Protocol "https" -HostHeader "yourdomain.com"
$binding.AddSslCertificate($cert.Thumbprint, "WebHosting")

Understanding SNI (Server Name Indication)

SNI allows multiple SSL sites to share a single IP address:

• With SNI: Multiple domains can use port 443 on the same IP
• Without SNI: Each SSL site requires a unique IP address
• Compatibility: All modern browsers support SNI (IE 7+, Chrome, Firefox, Safari, Edge)

When to use SNI: Almost always recommended for modern deployments.

Step 6: Configure HTTP to HTTPS Redirect

Force all HTTP traffic to redirect to HTTPS using URL Rewrite module.

Install URL Rewrite Module

1. Download from Microsoft IIS URL Rewrite
2. Run the installer
3. Restart IIS Manager

Configure Redirect via IIS Manager

1. Select Your Website: In IIS Manager, click on your website

1. Open URL Rewrite: Double-click URL Rewrite

1. Add Rule: In the Actions panel, click Add Rule(s)...

1. Select Blank Rule: Choose "Blank rule" under Inbound rules

1. Configure Rule:

• Name: HTTP to HTTPS Redirect
• Match URL:
• Requested URL: Matches the Pattern
• Using: Regular Expressions
• Pattern: (.*)
• Conditions: Click Add
• Input: {HTTPS}
• Type: Matches the Pattern
• Pattern: ^OFF$
• Action:
• Type: Redirect
• Redirect URL: https://{HTTP_HOST}/{R:1}
• Redirect type: Permanent (301)

1. Apply: Click Apply in the Actions panel

Configure via web.config

Add to your site's web.config file:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS Redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Step 7: Enable HTTP Strict Transport Security (HSTS)

HSTS tells browsers to always use HTTPS for your domain.

Configure HSTS via web.config

<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>

Configure HSTS via IIS Manager

1. Select Your Website: Click on your site in IIS Manager

1. Open HTTP Response Headers: Double-click HTTP Response Headers

1. Add Header: In Actions, click Add...

• Name: Strict-Transport-Security
• Value: max-age=31536000; includeSubDomains

Warning: Only enable HSTS after confirming HTTPS works correctly. The setting is cached by browsers.

Step 8: Verify SSL Installation

After installation, verify everything is working correctly.

Browser Verification

1. Visit Your Website: Navigate to https://yourdomain.com
2. Check Padlock Icon: A padlock should appear in the address bar
3. Click Padlock: View certificate details
4. Verify Certificate Chain: Check for complete chain (leaf → intermediate → root)

Use SSL Checker Tool

Our SSL Checker Tool provides comprehensive verification:

• Certificate chain validation
• Expiration date
• Protocol support (TLS 1.2, TLS 1.3)
• Security grade
• Common issues detection

PowerShell Verification

# Test SSL connection
Test-NetConnection -ComputerName yourdomain.com -Port 443

# View certificate details
$url = "https://yourdomain.com"
$request = [System.Net.HttpWebRequest]::Create($url)
$request.ServicePoint.Certificate

# Or use curl (Windows 10+)
curl.exe -vI https://yourdomain.com 2>&1 | Select-String "SSL|certificate"

Installing Wildcard SSL on IIS

Wildcard certificates secure your main domain and all first-level subdomains.

Wildcard Certificate Binding

1. Import Wildcard Certificate: Follow Step 4 to import the wildcard PFX

1. Create Bindings for Each Subdomain:

• yourdomain.com → Wildcard cert
• www.yourdomain.com → Same wildcard cert
• blog.yourdomain.com → Same wildcard cert
• api.yourdomain.com → Same wildcard cert

1. Enable SNI: Check "Require Server Name Indication" for each binding

PowerShell Example

# Get wildcard certificate
$cert = Get-ChildItem Cert:\LocalMachine\WebHosting | Where-Object {$_.Subject -like "*\*.yourdomain.com*"}

# Create bindings for multiple subdomains
$domains = @("yourdomain.com", "www.yourdomain.com", "blog.yourdomain.com", "api.yourdomain.com")

foreach ($domain in $domains) {
    New-WebBinding -Name "YourSiteName" -Protocol "https" -Port 443 -HostHeader $domain -SslFlags 1
    $binding = Get-WebBinding -Name "YourSiteName" -Protocol "https" -HostHeader $domain
    $binding.AddSslCertificate($cert.Thumbprint, "WebHosting")
}

Advanced: Centralized Certificate Store (CCS)

For multi-server environments, use Centralized Certificate Store to share certificates.

Enable CCS Feature

# Install CCS feature
Install-WindowsFeature Web-CertProvider

# Configure CCS
$ccsPath = "\\fileserver\certs"
$ccsUser = "DOMAIN\CertUser"
$ccsPassword = ConvertTo-SecureString "Password" -AsPlainText -Force

Enable-IISCentralCertProvider -CertStoreLocation $ccsPath -UserName $ccsUser -Password $ccsPassword

CCS Certificate Naming

Certificates in CCS must be named after the domain:

• yourdomain.com.pfx
• www.yourdomain.com.pfx
• _.yourdomain.com.pfx (wildcard)

Common IIS 10 SSL Errors & Troubleshooting

Error: "A specified logon session does not exist"

Cause: Certificate private key permissions issue.

Solution:

# Find certificate
$cert = Get-ChildItem Cert:\LocalMachine\WebHosting | Where-Object {$_.Subject -like "*yourdomain.com*"}

# Get private key path
$keyPath = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$fullPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$keyPath"

# Grant IIS_IUSRS read permission
icacls $fullPath /grant "IIS_IUSRS:R"

Error: "No certificate matching the SSL binding"

Cause: Certificate is in wrong store or has been removed.

Solution:

1. Verify certificate is in Web Hosting or Personal store
2. Re-import PFX if necessary
3. Recreate the HTTPS binding

Error: "Certificate chain incomplete"

Cause: Intermediate certificates not installed.

Solution:

1. Download CA bundle from your certificate provider
2. Import intermediate certificates:

Import-Certificate -FilePath "intermediate.crt" -CertStoreLocation Cert:\LocalMachine\CA

Error: "SSL/TLS handshake failed"

Cause: TLS version mismatch or cipher suite incompatibility.

Solution:

# Enable TLS 1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value 1 -PropertyType 'DWord'
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value 0 -PropertyType 'DWord'

# Restart IIS
iisreset

Error: "Private key and certificate don't match"

Cause: Certificate doesn't match the private key.

Solution: Use our Key Matcher Tool to verify your private key matches the certificate.

Error: "SNI required but host header missing"

Cause: HTTPS binding configured with SNI but no host header specified.

Solution: Either specify a host header or uncheck "Require Server Name Indication" (requires dedicated IP).

Error: "Cannot add duplicate collection entry"

Cause: Binding already exists for that IP:port:hostname combination.

Solution:

# List existing bindings
Get-WebBinding -Name "YourSiteName"

# Remove duplicate binding
Remove-WebBinding -Name "YourSiteName" -Protocol "https" -HostHeader "yourdomain.com"

# Add correct binding
New-WebBinding -Name "YourSiteName" -Protocol "https" -Port 443 -HostHeader "yourdomain.com" -SslFlags 1

Let's Encrypt vs Purchased SSL for IIS

Recommendation: For production IIS deployments, purchased SSL certificates are recommended for longer validity, warranty protection, and OV/EV validation options.

IIS 10 SSL Best Practices

1. Use TLS 1.2 or TLS 1.3 - Disable older protocols
2. Enable HSTS - Prevent protocol downgrade attacks
3. Use Strong Cipher Suites - Disable weak ciphers
4. Enable HTTP/2 - Requires HTTPS in most browsers
5. Use SNI - Host multiple SSL sites efficiently
6. Monitor Certificate Expiration - Use our SSL Checker
7. Set Up Expiry Reminders - At SSL Checker page
8. Backup Certificates - Export as PFX to secure location
9. Use Centralized Certificate Store - For multi-server environments
10. Regular Security Audits - Test with SSL Labs or similar