All Deployment guides Deployment

How to Install an SSL Certificate on Windows IIS

2026-05-08
iiswindowssslpfxinstallation

Microsoft IIS (Internet Information Services) uses PFX format for SSL certificates — different from the PEM files that GetHTTPS and most Linux-based tools produce. This guide covers converting your certificate and installing it on IIS 10.

Prerequisites

  • Windows Server with IIS 10 installed
  • Certificate files from GetHTTPS: cert.pem, privkey.pem, chain.pem
  • OpenSSL installed (comes with Git for Windows, or install separately)

Step 1: Convert PEM to PFX

IIS can’t read PEM files directly. Convert to PFX format using OpenSSL:

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

You’ll be prompted to set an export password — remember it for the import step.

Don’t have OpenSSL? If you have Git for Windows installed, OpenSSL is at C:\Program Files\Git\usr\bin\openssl.exe. Or download it from slproweb.com/products/Win32OpenSSL.html.

For more on certificate formats: PEM, PFX, DER explained

Step 2: Import the PFX into IIS

  1. Open IIS Manager (run inetmgr)
  2. Click your server name in the left panel
  3. Double-click Server Certificates in the center panel
  4. Click Import… in the right Actions panel
  5. Browse to your certificate.pfx file
  6. Enter the export password you set in Step 1
  7. Select certificate store: Web Hosting (or Personal)
  8. Click OK

The certificate now appears in the Server Certificates list.

Step 3: Bind HTTPS to your site

  1. In IIS Manager, expand Sites in the left panel
  2. Right-click your website → Edit Bindings…
  3. Click Add…
  4. Set:
    • Type: https
    • Port: 443
    • Host name: yourdomain.com (leave blank for all hostnames)
    • SSL certificate: select the certificate you just imported
  5. Click OK
  6. Repeat for www.yourdomain.com if needed

Step 4: Redirect HTTP to HTTPS

Install the URL Rewrite module (if not already installed), then add to your site’s web.config:

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Step 5: Verify

Open https://yourdomain.com in a browser. Click the padlock to verify the certificate details.

PowerShell verification:

# Check the certificate bound to port 443
netsh http show sslcert

Troubleshooting

”A specified logon session does not exist”

The private key wasn’t properly imported. Re-export the PFX file with:

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:YourPassword

Make sure the PFX was created from matching key + certificate files.

Certificate doesn’t appear in the binding dropdown

The import may have failed silently. Check Event Viewer → Windows Logs → Application for errors. Ensure the PFX password is correct and the file isn’t corrupted.

”This site is not secure” after binding

Check that the certificate chain is complete. The chain.pem file must be included in the PFX conversion (-certfile chain.pem). Without it, browsers can’t verify the trust chain.

Frequently asked questions

Can I use a Let’s Encrypt certificate with IIS?

Yes. Let’s Encrypt certificates work with any server, including IIS. The only extra step is converting PEM to PFX format. GetHTTPS gives you PEM files; the OpenSSL command above converts them.

Is there a tool like Certbot for IIS?

win-acme (formerly letsencrypt-win-simple) is the most popular ACME client for Windows/IIS. It handles certificate issuance, PFX conversion, IIS binding, and auto-renewal in one tool. Use it if you want fully automated Let’s Encrypt on IIS.

How do I renew on IIS?

  1. Get a new certificate from GetHTTPS
  2. Convert to PFX: openssl pkcs12 -export -out new.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
  3. Import the new PFX in IIS Manager → Server Certificates
  4. Update the site binding to use the new certificate
  5. Remove the old certificate from Server Certificates

For automated renewal, consider win-acme — it handles the entire cycle automatically.

Does IIS support ECDSA/ECC certificates?

IIS 10 on Windows Server 2016+ supports ECDSA certificates. GetHTTPS generates ECDSA P-256 by default, which works with modern IIS. Older IIS versions (8.5 and below) may require RSA certificates.

Can I use IIS with multiple sites on the same IP?

Yes. IIS 8+ supports SNI (Server Name Indication), which allows multiple SSL certificates on the same IP address. When adding the HTTPS binding, check “Require Server Name Indication” and enter the hostname. Each site can have its own certificate.

How do I find OpenSSL on Windows?

OpenSSL isn’t included with Windows by default. Common sources:

  • Git for Windows includes it at C:\Program Files\Git\usr\bin\openssl.exe
  • Chocolatey: choco install openssl
  • Win32/Win64 builds: download from slproweb.com

After installing, add it to your PATH or use the full path in commands.

Related articles

Getting Started 2026-05-08
How to Get a Free SSL Certificate (Step-by-Step Guide)
Get a free SSL certificate from Let's Encrypt in 5 minutes — no software to install, no account to create. Complete guide covering 4 methods, both challenge types, installation on 6 platforms, and troubleshooting.
SSL & Certificates 2026-05-07
SSL Certificate Formats: PEM, PFX, DER Explained
Understand PEM, PFX/PKCS#12, and DER certificate formats. Learn which format your server needs and how to convert between them with OpenSSL.
Deployment 2026-05-07
How to Redirect HTTP to HTTPS
Force all traffic to HTTPS with server-side redirects. Configuration examples for Nginx, Apache, and .htaccess with 301 permanent redirects.
Get a free SSL certificate in your browser
No installation, no account. Your private key never leaves your device.
Get your certificate