How to Install SSL Certificate on Microsoft IIS 5 & 6

Introduction to IIS 5 & 6 SSL Installation

Microsoft Internet Information Services (IIS) 5.x and 6.x were the web server platforms for Windows 2000 Server and Windows Server 2003, respectively. While these systems have reached end of life, many organizations still maintain legacy applications on these platforms that require SSL/TLS certificates for secure communication.

This comprehensive guide walks you through the complete process of installing SSL certificates on IIS 5 and IIS 6—from generating a Certificate Signing Request (CSR) to verifying your installation with our SSL Checker. Whether you're maintaining a legacy intranet application or keeping an older system secure, you'll find step-by-step instructions tailored to these classic Microsoft platforms.

Understanding how SSL works is essential for securing web traffic on any platform. SSL certificates encrypt data between your visitors' browsers and your IIS server, protecting sensitive information like login credentials and personal data. Even on legacy systems, proper SSL implementation remains critical for security.

Looking for modern IIS? For IIS 10 and later on Windows Server 2016/2019/2022, see our updated guide: Installing SSL on IIS 10+ (Windows Server 2016/2019/2022).

Important: Legacy System Considerations

Before proceeding with SSL installation, please note the following critical information about IIS 5 and IIS 6:

End of Support Status

Upgrade Recommendation

We strongly recommend upgrading to a modern version of IIS (7.0 or later) running on a supported Windows Server operating system. Modern IIS versions offer:

For modern Windows Server installations, see our comprehensive guide: Installing SSL on IIS 10+ (Windows Server 2016/2019/2022).

If upgrade is not immediately possible, this guide will help you secure your legacy IIS installation as best as possible within its limitations.

What You'll Need Before Starting

Before beginning the SSL installation process on IIS 5 or 6, ensure you have the following prerequisites ready:

Prerequisites Checklist

If you haven't purchased an SSL certificate yet, browse our SSL certificates to find the right option for your needs. We offer DV, OV, and EV certificates from trusted Certificate Authorities with prices starting at just $2.99/year.

Step 1: Generate CSR Using IIS (Built-in Method)

The first step in obtaining an SSL certificate is generating a Certificate Signing Request (CSR) directly within IIS. This method creates a pending request that pairs with the certificate upon installation.

IIS 6 CSR Generation Steps

- Organization: Your legal company name (e.g., "Example Corporation")

- Organizational Unit: Department (e.g., "IT Department")

- Standard certificate: www.example.com or example.com

- Subdomain: secure.example.com

- Wildcard: *.example.com

- Country: Two-letter code (e.g., US, GB, CA)

- State/Province: Full name, not abbreviated

- City/Locality: Your city

IIS 5 CSR Generation Steps

The process for IIS 5 is nearly identical:

Critical Warning: Do NOT delete the pending certificate request from IIS! If you delete it before installing the issued certificate, you will lose the private key and must regenerate the CSR and reissue the certificate.

Step 1 Alternative: Generate CSR Using My-SSL Tools

For greater control over your CSR and to keep a secure copy of your private key, you can use our free CSR Generator tool.

Benefits of Using External CSR Generation

How to Generate a CSR with My-SSL Tools

- Standard: example.com (covers www automatically)

- Subdomain: secure.example.com

- Wildcard: *.example.com

- Organization Name: Legal business name

- Department: Organizational unit

- City, State, Country

Important: Store your private key securely—you'll need it later when importing the certificate into IIS.

For a complete walkthrough of all our tools, see our Complete Guide to Free SSL Certificate Tools.

Step 2: Order Your SSL Certificate

With your CSR ready, you can now order your SSL certificate. The type of certificate you choose depends on your website's needs:

Ordering Process

- Email validation (sent to admin@yourdomain.com)

- DNS validation (add a CNAME or TXT record)

- HTTP validation (upload a file to your server)

For detailed information on validation types, read our guide on SSL Certificate Types.

Step 3: Install the SSL Certificate (IIS-Generated CSR)

If you generated your CSR using IIS (Step 1), follow these instructions to process the pending request.

Processing the Pending Request in IIS 6

Processing the Pending Request in IIS 5

Important: You must install the certificate on the exact same website where the CSR was generated. The pending request contains the private key reference that's required to complete the installation.

Step 4: Install Intermediate Certificate (CA Bundle)

Most SSL certificates require intermediate certificates to establish a complete chain of trust. Without the CA bundle, browsers may show "certificate not trusted" warnings.

Installing Intermediate Certificates in IIS

Multiple Intermediate Certificates

If your CA provides multiple intermediate certificates:

Step 5: Install Certificate (External CSR with PFX)

If you generated your CSR externally using our CSR Generator, you'll need to create a PFX file and import it into IIS.

Creating a PFX File

A PFX (PKCS#12) file combines your certificate, private key, and intermediate certificates into a single encrypted file.

- Certificate file (.crt or .cer)

- Private key file (.key)

- CA Bundle file (optional but recommended)

Importing PFX into IIS

- Expand Certificates (Local Computer)

- Expand Personal

- Right-click Certificates > All Tasks > Import

- Browse to your .pfx file

- Enter the password you set during PFX creation

- Check Mark this key as exportable (optional, for backup)

- Select Personal store

Binding Certificate to Website in IIS

After importing the PFX:

Step 6: Verify Your SSL Installation

After installation, verify everything is working correctly.

Verification Steps

- Issued to: Your domain name

- Issued by: Your Certificate Authority

- Valid dates: Should include current date

- Certificate chain validation

- Expiration date

- Protocol support

- Common issues detection

Testing with Different Browsers

Important: Internet Explorer on the server may cache old certificate information. Test with:

If IE shows the certificate is valid but other browsers show warnings, you likely need to install intermediate certificates (Step 4).

Step 7: Backup Your Certificate and Private Key

Always create a backup of your SSL certificate and private key before making any server changes.

Exporting as PFX File

- Select Yes, export the private key

- Choose PKCS #12 (.PFX) format

- Check Include all certificates in the certification path

- Set a strong password

- Save to a secure location

Backup Best Practices

Configure HTTPS and Port 443

After installing SSL, configure IIS to use HTTPS on port 443.

Verify SSL Binding

Require SSL (Optional but Recommended)

To force all traffic over HTTPS:

HTTP to HTTPS Redirect

For IIS 6, create a redirect using a custom error page or third-party ISAPI filter. A common approach:

Alternatively, use URLRewrite or a similar ISAPI extension for server-side redirects.

Multiple SSL Sites on IIS 5 & 6

IIS 5 and 6 have limitations with multiple SSL sites compared to modern versions.

SSL Host Headers (IIS 6 Only)

IIS 6 supports SSL Host Headers for hosting multiple SSL sites on a single IP:

```

cscript adsutil.vbs set /w3svc/<SiteID>/SecureBindings ":443:www.example.com"

```

Limitations

For multiple SSL sites, consider using:

Common IIS SSL Errors & Troubleshooting

Even with careful installation, you may encounter errors. Here's how to resolve the most common issues:

Error: "Page cannot be found" on HTTPS

Causes:

Solutions:

Error: "Certificate not trusted"

Cause: Missing intermediate certificates.

Solution:

Error: "Certificate has expired"

Cause: Certificate validity period has ended.

Solution:

Error: "Server's certificate does not match the URL"

Cause: Certificate Common Name doesn't match the accessed domain.

Solution:

Error: "The pending certificate request was deleted"

Cause: The pending request in IIS was removed before certificate installation.

Solution:

Error: "Old certificate still appears"

Cause: Browser or server caching.

Solutions:

Error: "Cannot find the certificate request"

Cause: CSR was generated on a different website or server.

Solution:

Setting Up SSL Expiry Reminders

SSL certificates have limited validity periods. Don't let your certificate expire unexpectedly—use our free reminder service.

How to Set Up Reminders

You'll receive email notifications before your certificate expires, giving you time to renew without any security warnings for your visitors.

Let's Encrypt vs Purchased SSL for Legacy IIS

Let's Encrypt offers free SSL certificates, but has limitations on legacy IIS systems:

Why Purchased SSL May Be Better for Legacy IIS

For legacy systems where automation is challenging, the longer validity and professional support of purchased certificates often provides better value.

Upgrading from IIS 5/6 to Modern IIS

While this guide helps secure your legacy IIS installation, we strongly recommend planning an upgrade path.

Benefits of Modern IIS (8.0+)

Migration Considerations

Best Practices for Legacy IIS SSL Management

Follow these best practices to maintain optimal SSL security on legacy systems:

Regular Monitoring

Security Measures

Documentation

Renewal Process

For a deeper understanding of certificate infrastructure, read our guide on What is PKI?

Frequently Asked Questions

How long does it take to install SSL on IIS 5 or 6?

The technical installation takes 10-20 minutes once you have all the necessary files. The complete process—including CSR generation, certificate ordering, and domain validation—typically takes 30-60 minutes for DV certificates. OV and EV certificates require additional business validation, taking 1-7 business days.

Can I still get SSL certificates for Windows Server 2003?

Yes, SSL certificates work independently of your server's support status. You can purchase and install certificates on IIS 5/6 as documented in this guide. However, we strongly recommend planning a migration to supported systems.

Why did my pending certificate request disappear?

If you reinstalled Windows, ran certain system tools, or manually deleted it, the pending request may be gone. Unfortunately, you'll need to generate a new CSR and request certificate reissuance from your CA.

What's the difference between IIS 5 and IIS 6 for SSL?

IIS 6 (Windows Server 2003) added SSL Host Headers support, allowing multiple SSL sites on a single IP address. IIS 5 (Windows 2000) requires a unique IP for each SSL site. IIS 6 also has better management tools and configuration options.

Can I use a wildcard SSL certificate on IIS 5/6?

Yes, wildcard certificates work on IIS 5 and 6. Generate the CSR with *.yourdomain.com as the Common Name, and the certificate will secure all subdomains at that level.

How do I install multiple SSL certificates on IIS 6?

Use SSL Host Headers or assign each SSL site to a different IP address. For host headers, use the adsutil.vbs script to configure SecureBindings for each site.

Why does my certificate work in IE but not in Firefox or Chrome?

This usually indicates missing intermediate certificates. IE often caches intermediates from previous sessions, while other browsers require the complete chain. Install all intermediate certificates as described in Step 4.

How do I renew an SSL certificate on IIS?

The renewal process is essentially the same as initial installation. Generate a new CSR (or reuse the existing one if your CA allows), order the renewal, and install the new certificate. Export a PFX backup before making any changes.

Can I export my certificate to move it to a new server?

Yes, export the certificate as a PFX file with the private key included. You can then import this PFX on the new server. See Step 7 for detailed export instructions.

What TLS versions does IIS 5/6 support?

IIS 5 supports SSL 3.0 and TLS 1.0. IIS 6 supports SSL 3.0, TLS 1.0, and with registry modifications, TLS 1.1 and 1.2. Note that SSL 3.0 and TLS 1.0 are considered insecure and should be disabled where possible.

Should I upgrade from IIS 5/6?

Yes, absolutely. IIS 5 and 6 are no longer supported by Microsoft and don't receive security updates. Modern compliance standards often require TLS 1.2 or higher, which requires newer IIS versions. Plan a migration path to protect your organization.

How do I disable SSL 2.0/3.0 on IIS 6?

You can disable insecure protocols via Windows Registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols and create keys to disable specific protocols. Always test thoroughly after making registry changes.