A guide on how to import certificates to the IIS Server Manager

SSL/TLS certificates are essential for hosting websites on IIS (Internet Information Services) servers as they ensure that the data transmitted between server and user is encrypted. 

This prevents attackers from intercepting sensitive data, such as PII, PHI, and PCI data, through methods like man-in-the-middle attacks. For websites hosted on IIS (Internet Information Services) and handling sensitive information, encryption is non-negotiable. 

Problem Statement

When generating a certificate signing request (CSR), the private key is typically bound to the certificate. However, if you are using a third-party Certificate Lifecycle Management (CLM) solution that lacks the capability to issue a .PFX certificate (a format required to import a certificate into IIS), this can create a challenge. Without the .PFX format, which combines the certificate and the private key, cannot be used to import the certificate into IIS ideally. 

The following steps simplify the task of exporting and importing certificates in the required format, ensuring your server is ready to build a secure connection. 

Pre-requisite

Before moving further with our steps to import the certificate. It is important to meet the following pre-requisite to ensure smooth configurations.  

1. Certificate Signing Request (CSR)

   • Generate a Certificate Signing Request (CSR) for the domain you intend to secure.

   • Include the necessary details like the Common Name (your domain), organization information, and location.

   • Submit the CSR to the Certificate Authority to obtain the issued certificate.

2. SSL/TLS Certificate

   • Obtain a valid SSL/TLS certificate from a trusted Certificate Authority (CA).

   • Import the certificate in your personal certificate store before importing it on IIS.

   • Ensure you have the required formats:

     • .PFX format for importing into IIS Server Manager (includes the certificate and private key).

3. IIS Server Installed and Configured

   • Ensure IIS is installed on your server. You can install it using the Server Manager on Windows Server or through the Add Roles and Features Wizard.

   • Verify that the IIS service is running and properly configured to host your website.

4. Administrative Access to the Server

   • Ensure you have administrative privileges to access the IIS server and Certificate Management Console. These permissions are necessary for installing and configuring the SSL/TLS certificate.

5. Backup of Private Key (Optional but Recommended)

   • If you’re exporting a certificate with its private key, ensure the private key is securely backed up. Losing it can result in the certificate becoming unusable.

Exporting the Certificate to a PFX Format 

The PFX format is essential for importing the certificate into IIS Server Manager because it combines the certificate and its private key. Below are the steps for exporting the certificate to a PFX format. 

1. Open the Certificate Management Console (certlm.msc):

   • Go to File > Add/Remove Snap-In.
   • Select Certificates and click Add.
   • Choose My User Account, then click Finish and OK.

2. Locate the certificate:

   • Navigate to Certificates – Current User > Personal > Certificates.

3. Export the certificate:

   • Right-click on the certificate and select All Tasks > Export.

   • In the Certificate Export Wizard:

     • Click Next.
     • Select Yes, export the private key, and click Next.

     

     • Choose the .PFX format and click Next.

     

     • Specify a password to secure the PFX file, then click Next.
     • Specify a location to save the file and click Finish.

     

You now have the certificate in the .PFX format, ready for import into IIS Server Manager.  

There are 2 ways to complete the process of importing the certificate to IIS server:

Method 1: Using a .PFX Certificate

Step 1: Open IIS Manager:

• Navigate to the Server Certificates section. 

Step 2: Import the Certificate:

• On the right-hand action pane, select the Import option. 

• Browse to your .PFX file, enter the password, and click OK. 

Select you .pfx certificate file and enter the password and click on OK  

You have successfully imported the certificate. Proceed to bind it to your site.

Note: Sometimes, exporting a certificate in .PFX format may not work due to restrictions on the certificate template. If you encounter such limitations, Method 2 provides an alternative way to bind the certificate in IIS without requiring a .PFX file. 

Method 2: Binding the Certificate from Certificate Bindings 

If you already have the certificate with the private key in the local machine store, follow these steps to bind it directly to your website: 

Navigate to the Website: 

• In IIS Manager, select the Default Web Site (or the target site) from the left-hand pane. On the right-hand action pane, select Bindings.

Access Site Bindings: 

• In the Bindings window, locate and enable the option for port 443. 

• Click Edit. 

Bind the Certificate: 

• Enter the hostname associated with the certificate. 

• From the dropdown, select the appropriate certificate. 

• Use the View option to verify that you are binding the correct certificate. 

• Click OK. 

Note: If you encounter an error while attempting to edit site bindings, follow these troubleshooting steps: 

Verify Application Pool Account: 

• Check the application pool under which your website runs. 

• Ensure it is running under the Network Service account.

Open the certificate store by running certlm.msc. 

Locate the certificate in the Personal > Certificates folder. 

Right-click the certificate, go to All Tasks, and select Manage Private Keys

Click on Add… 

Type Network Service and enter the object name to select the field. 

Click Check Names and assign Read permission.

Restart the IIS service using the command iisreset.

Retry the binding process. 

How can Encryption Consulting help? 

CertSecure Manager, our Certificate Lifecycle Management (CLM) solution provides automation agents for IIS, Apache, Tomcat and load balancers like F5. This automates the process of certificate renewal and deployment i.e, binding the certificate with hosted services for such endpoints. This approach ensures that you can proceed directly to binding the certificate in web servers like IIS, reducing the risk of errors and saving valuable time. Additionally, our Managed PKI services provide end-to-end support for such scenarios, ensuring quick resolution and efficient handling of certificate-related tasks, minimizing downtime and operational complexity. 

Conclusion

Importing SSL/TLS certificates into IIS Server Manager is a critical step in securing your website and maintaining secure communication between the web server and client. By following these steps, you can easily import and bind your SSL/TLS certificate with the given service in IIS web server. Both the methods highlight the steps required to bind the digital certificate from the trust store while troubleshooting permissions ensures smooth certificate binding and secure website functionality.