Installing a PFX SSL Certificate on Microsoft IIS and Binding It to a Website
Sarah MitchellShare
Windows servers handle SSL Certificates differently from Linux servers in one fundamental way. Instead of separate SSL Certificate and Private Key files, Windows works with a single password-protected container called a Personal Information Exchange (PFX) file that holds the SSL Certificate, the Private Key, and usually the Intermediate Certificates together.
This guide covers importing that file into Internet Information Services (IIS) on Windows Server 2016, 2019, and 2022, then binding it to a website so HTTPS starts working.
This procedure applies when you already hold a PFX file, typically because the SSL Certificate was exported from another Windows server or converted from separate files.
If your Certificate Signing Request (CSR) was generated on this same server and you hold a plain .crt file instead, use the Complete Certificate Request action in IIS Manager rather than the import process described here.
Prerequisites
You need local Administrator access to the Windows server, the PFX file itself, and the password that was set when the file was created. Without the password the file cannot be opened, and the password cannot be recovered or reset, so locate it before starting.
The website should already exist in IIS, and port 443 must be open on the Windows firewall and any upstream firewall or load balancer. Your issued SSL Certificate files remain available in the tracking system at any time. View Our Tracking & SSL Management 🔗
If the PFX format itself is unfamiliar, a short background read makes the rest of this guide easier to follow. Learn About PFX Files 🔗
Importing the PFX File
Open Server Manager, then choose Tools followed by IIS Manager. In the left pane select the server name itself at the top of the tree, not an individual site, and double click the Server Certificates icon in the center pane.
In the Actions pane on the right, click Import. Browse to the PFX file, enter the password, and leave the Certificate Store set to Personal. Ticking the option to allow the SSL Certificate to be exported is recommended, because it permits a clean export later if the SSL Certificate ever needs to move to another server.
After clicking OK, the SSL Certificate appears in the Server Certificates list with its friendly name, expiry date, and issuer visible. If the import fails with a password error, the password is incorrect for this specific file, and a dedicated troubleshooting article covers the common causes. Learn About Fixing an Incorrect PFX Password 🔗
Binding the SSL Certificate to a Website
Importing alone makes the SSL Certificate available to the server but serves nothing. The binding is what connects the SSL Certificate to a specific website and port.
In IIS Manager, expand Sites in the left pane and select the target website. Click Bindings in the Actions pane, then click Add, or Edit if an HTTPS binding already exists from a previous SSL Certificate.
Set the Type to https and the Port to 443. Leave the IP Address as All Unassigned unless the server hosts sites on dedicated addresses. In the Host name field, enter the Fully Qualified Domain Name (FQDN) the site answers on.
Tick Require Server Name Indication (SNI) whenever the server hosts more than one HTTPS site, since SNI is what lets multiple SSL Certificates share port 443. Finally, select the newly imported SSL Certificate from the dropdown and click OK.
Important : When replacing an expiring SSL Certificate, edit the existing HTTPS binding and switch the SSL Certificate selection rather than adding a second binding. Two bindings competing for the same hostname and port produce intermittent SSL Certificate errors that are difficult to diagnose.
With the binding saved, the SSL Certificate is live and ready to confirm.
Verifying the Installation
Browse to the site over HTTPS and inspect the padlock to confirm the SSL Certificate details, covered hostnames, and expiry date. Then run an external check, because Windows desktop browsers cache Intermediate Certificates and can hide a chain problem that mobile devices will reject.
Trustico® provides free checking tools that display the chain exactly as a fresh client receives it. Explore Our Trustico® SSL Tools 🔗
For a server-side confirmation, open the Microsoft Management Console (MMC) with the Certificates snap-in for the Computer Account, navigate to Personal and then Certificates, and open the imported SSL Certificate.
The dialog should state that you have a Private Key corresponding to this SSL Certificate. If that line is absent, the Private Key did not import, and HTTPS bindings using this SSL Certificate will fail.
Troubleshooting Common Installation Problems
Chain warnings on some devices but not others almost always mean an Intermediate Certificate problem rather than a fault with the SSL Certificate itself. Windows resolves chains through its own store, and a missing or outdated Intermediate Certificate produces exactly this split behavior. Learn About IIS SSL Certificate Chain Issues 🔗
An SSL Certificate that disappears from IIS Manager moments after import was imported without its Private Key. This happens when a plain .crt file is renamed to .pfx or when the export that created the file excluded the key.
Recreate the PFX file from the original server with the Private Key included, or complete a reissue against a fresh CSR generated on this server. Learn About Reissuing Your SSL Certificate 🔗
If the binding saves but the site still answers with the old SSL Certificate, restart the site in IIS Manager or run iisreset from an elevated command prompt to clear the cached binding.
Professional Installation Assistance
IIS installations are quick once the PFX file is in hand, but environments with multiple sites, load balanced servers, or Exchange and Remote Desktop services sharing SSL Certificates can become intricate.
Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗
