Register

IIS SSL Certificate Installation Guide

Detailed explanation of SSL certificate installation and configuration differences between different IIS versions to help you correctly configure SSL certificates

Version Overview

IIS 6.0
Deprecated
IIS version for Windows Server 2003, uses old management interface, does not support SNI, limited TLS protocol support.
⚠️ 注意: Windows Server 2003 has stopped support, has serious security risks, strongly recommend upgrading.
IIS 7.0 / 7.5
Stable Version
IIS version for Windows Server 2008 / 2008 R2, introduced new management interface and PowerShell support, but still does not support SNI.
IIS 8.0 / 8.5
Recommended Version
IIS version for Windows Server 2012 / 2012 R2, first supports SNI, allows binding multiple SSL certificates on the same IP address.
✅ 重要特性: Starting from IIS 8.0, SNI (Server Name Indication) is supported, which is a key feature for multi-site SSL configuration.
IIS 10.0
Current Version
IIS version for Windows Server 2016 / 2019 / 2022, supports all modern TLS protocols (including TLS 1.2 and TLS 1.3), provides best security and performance.
IIS Version Windows Server SNI Support TLS 1.2 TLS 1.3 PowerShell Support
IIS 6.0 2003 ⚠️ Needs Configuration
IIS 7.0 2008
IIS 7.5 2008 R2
IIS 8.0 2012
IIS 8.5 2012 R2
IIS 10.0 2016/2019/2022

Certificate Format Conversion

IIS requires certificate files in .pfx or .p12 format. If you receive .crt and .key files, you need to convert them to .pfx format first.

Convert using OpenSSL (Recommended)

# # Merge certificate chain (if needed)cat your_domain.crt intermediate_ca.crt > fullchain.crt # # Convert to PFX formatopenssl pkcs12 -export -out your_domain.pfx -inkey your_domain.key -in fullchain.crt # # System will prompt you to set PFX password, please keep this password safe

Convert using Windows Certificate Manager

Step 1: Import Certificate to Certificate Store

  1. Double-click .crt file, select "Install Certificate"
  2. Select "Local Computer", click "Next"
  3. Select "Place all certificates in the following store", click "Browse"
  4. Select "Personal", click "OK"
  5. Complete import

Step 2: Export as PFX Format

  1. Open "Run" (Win+R), enter certmgr.msc
  2. Expand "Personal" → "Certificates"
  3. Find your certificate, right-click and select "All Tasks" → "Export"
  4. Select "Yes, export the private key"
  5. Select "Personal Information Exchange - PKCS #12 (.PFX)"
  6. Set password and save file
⚠️ 注意: If the private key file is provided separately, you need to merge the private key and certificate first, then convert to PFX format.

Import Certificate via GUI

All IIS versions support importing certificates through graphical interface, but the interface is slightly different:

IIS 7.0+ Import Method (Recommended)

Step 1: Open IIS Manager

Open "Server Manager" → "Tools" → "Internet Information Services (IIS) Manager"

Step 2: Import Certificate to Server Certificate Store

  1. Select server name in left connection tree
  2. Double-click "Server Certificates"
  3. Click "Import" in right action panel
  4. Select your .pfx file
  5. Enter PFX file password
  6. Select certificate store location (recommend selecting "Personal")
  7. Click "OK" to complete import

IIS 6.0 Import Method

Import using Certificate Manager

  1. Open "Run" (Win+R), enter certmgr.msc
  2. Expand "Personal" → "Certificates"
  3. Right-click and select "All Tasks" → "Import"
  4. Select your .pfx file and enter password
  5. Complete import
💡 提示: After importing the certificate, it will appear in the "Server Certificates" list in IIS Manager, and you can select this certificate when binding sites.

Import Certificate via PowerShell

⚠️ 注意: PowerShell import method requires IIS 7.0 or higher, IIS 6.0 does not support PowerShell.

Import Certificate to Local Computer Store

# # Import PFX certificate to local computer personal store$pfxPath = "C:\path\to\your_domain.pfx" $password = ConvertTo-SecureString -String "YourPFXPassword" -Force -AsPlainText Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation Cert:\LocalMachine\My -Password $password # # Verify certificate import successGet-ChildItem -Path Cert:\LocalMachine\My | Where-Object {`$_.Subject -like "*yourdomain.com*"}

Import using IIS PowerShell Module

# # Import WebAdministration moduleImport-Module WebAdministration # # Import certificate$pfxPath = "C:\path\to\your_domain.pfx" $password = "YourPFXPassword" $cert = Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString -String $password -Force -AsPlainText) # # Verify importGet-ChildItem IIS:\SslBindings
📝 说明: PowerShell method is suitable for batch deployment and automation scenarios, can write scripts to achieve automatic certificate import and binding.

Site Binding Configuration

GUI Method Binding (All Versions)

Step 1: Open Site Binding

  1. Expand "Sites" in IIS Manager
  2. Select the website to configure
  3. Click "Bindings" in right action panel

Step 2: Add HTTPS Binding

  1. Click "Add" in "Site Bindings" dialog
  2. Type select "https"
  3. IP address select "All Unassigned" or specific IP
  4. Port set to "443"
  5. SSL certificate select your imported certificate
  6. IIS 8.0+: Check "Require Server Name Indication (SNI)" (if using SNI)
  7. Host name enter your domain (IIS 8.0+ support)
  8. Click "OK" to complete binding

PowerShell Method Binding (IIS 7.0+)

# # Import WebAdministration moduleImport-Module WebAdministration # # Get certificate thumbprint$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {`$_.Subject -like "*yourdomain.com*"} $thumbprint = $cert.Thumbprint # # Bind certificate to site (without SNI)New-WebBinding -Name "YourSiteName" -Protocol https -Port 443 -SslFlags 0 # # Assign certificate to binding$binding = Get-WebBinding -Name "YourSiteName" -Protocol https $binding.AddSslCertificate($thumbprint, "My") # # IIS 8.0+ use SNI bindingNew-WebBinding -Name "YourSiteName" -Protocol https -Port 443 -HostHeader "yourdomain.com" -SslFlags 1 $binding = Get-WebBinding -Name "YourSiteName" -Protocol https -HostHeader "yourdomain.com" $binding.AddSslCertificate($thumbprint, "My")
💡 Note:
  • SslFlags 0:SslFlags 0: Do not use SNI (IIS 7.0/7.5)
  • SslFlags 1:SslFlags 1: Use SNI (IIS 8.0+)
  • When using SNI, each domain needs to be bound separately

SNI (Server Name Indication) Support

⚠️ 重要: SNI support requires IIS 8.0 or higher. IIS 7.0 and 7.5 do not support SNI, only one SSL certificate can be bound per IP address.

What is SNI?

SNI allows binding multiple SSL certificates on the same IP address, each certificate corresponding to a different domain name. This is very useful for shared hosting environments.

IIS 8.0+ SNI Configuration

# # Configure SNI for multiple domainsImport-Module WebAdministration # # Site 1: yourdomain.com$cert1 = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {`$_.Subject -like "*yourdomain.com*"} New-WebBinding -Name "Site1" -Protocol https -Port 443 -HostHeader "yourdomain.com" -SslFlags 1 $binding1 = Get-WebBinding -Name "Site1" -Protocol https -HostHeader "yourdomain.com" $binding1.AddSslCertificate($cert1.Thumbprint, "My") # # Site 2: anotherdomain.com (same IP)$cert2 = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {`$_.Subject -like "*anotherdomain.com*"} New-WebBinding -Name "Site2" -Protocol https -Port 443 -HostHeader "anotherdomain.com" -SslFlags 1 $binding2 = Get-WebBinding -Name "Site2" -Protocol https -HostHeader "anotherdomain.com" $binding2.AddSslCertificate($cert2.Thumbprint, "My")

IIS 7.0/7.5 Limitations

📝 说明: In IIS 7.0 and 7.5, if SNI is not supported, you need to:
  • Use different IP addresses for each domain, or
  • Use wildcard certificate (*.example.com), or
  • Use multi-domain certificate (SAN certificate)

TLS Protocol Configuration

Windows Server TLS protocol configuration is done through registry, different versions support different protocols:

View Current TLS Protocol Support

# # View enabled TLS protocolsGet-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name Enabled # # View all TLS protocol statusGet-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" | ForEach-Object { $protocol = `$_.PSChildName $path = `$_.PSPath $enabled = (Get-ItemProperty -Path "`$path\Server" -Name Enabled -ErrorAction SilentlyContinue).Enabled Write-Host "`$protocol : `$enabled" }

Enable TLS 1.2 (IIS 7.0+)

# # Enable TLS 1.2 server sideNew-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Force New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name Enabled -Value 1 -PropertyType DWORD -Force New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name DisabledByDefault -Value 0 -PropertyType DWORD -Force # # Enable TLS 1.2 client sideNew-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Force New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name Enabled -Value 1 -PropertyType DWORD -Force New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name DisabledByDefault -Value 0 -PropertyType DWORD -Force # # Disable insecure protocols (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1)$protocols = @("SSL 2.0", "SSL 3.0", "TLS 1.0", "TLS 1.1") foreach ($protocol in $protocols) { New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\`$protocol\Server" -Force | Out-Null New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\`$protocol\Server" -Name Enabled -Value 0 -PropertyType DWORD -Force New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\`$protocol\Server" -Name DisabledByDefault -Value 1 -PropertyType DWORD -Force } # # Restart server to apply configurationRestart-Computer

Enable TLS 1.3 (IIS 10.0 / Windows Server 2019+)

# # Windows Server 2019+ supports TLS 1.3# # Enable TLS 1.3 (requires Windows update support)New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" -Force New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" -Name Enabled -Value 1 -PropertyType DWORD -Force New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" -Name DisabledByDefault -Value 0 -PropertyType DWORD -Force # 重启服务器 Restart-Computer
⚠️ 注意: After modifying the registry, you need to restart the server for the configuration to take effect. It is recommended to perform this operation during maintenance window.

HTTP to HTTPS Redirect

Use URL Rewrite Module (IIS 7.0+)

Need to install IIS URL Rewrite module (all IIS versions support):

<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> </rule> </rules> </rewrite> </system.webServer> </configuration>

Method 2: Use HTTP Redirect (IIS 7.0+)

Configuration Steps

  1. Select website in IIS Manager
  2. Double-click "HTTP Redirect"
  3. Check "Redirect requests to this destination"
  4. Enter: https://yourdomain.com{REQUEST_URI}
  5. Select "Redirect only requests to content in this directory (not subdirectories)" (optional)
  6. Status code select "Permanent (301)"
  7. Click "Apply"
💡 提示: URL Rewrite module method is more flexible and can handle more complex redirect scenarios.

Best Practices

1. Certificate Management

  • Regularly check certificate expiration, set reminders to renew before expiration
  • Keep PFX file password safe, recommend using password manager
  • Backup certificate and private key files to secure location
  • Use "Personal" container in certificate store, avoid using "Web Hosting" container

2. Security Configuration

  • Disable insecure SSL/TLS protocols (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1)
  • Only enable TLS 1.2 and TLS 1.3 (if supported)
  • Use strong cipher suites, avoid weak encryption algorithms
  • Enable HSTS (HTTP Strict Transport Security)

3. Multi-Site Configuration

  • IIS 8.0+ use SNI to achieve multi-site SSL configuration
  • IIS 7.0/7.5 consider using wildcard certificate or multi-domain certificate
  • Bind certificate separately for each site to avoid certificate confusion

4. Performance Optimization

  • Enable SSL session cache (Windows automatically manages)
  • Use HTTP/2 (IIS 10.0+ support)
  • Regularly update Windows Server and IIS to get latest security patches

Troubleshooting

1. Check IIS Version

# # Check IIS versionGet-ItemProperty "HKLM:\SOFTWARE\Microsoft\InetStp" | Select-Object MajorVersion, MinorVersion # # Or use command line%windir%\system32\inetsrv\appcmd.exe list config /section:system.webServer

2. Verify Certificate Binding

# # List all SSL bindingsGet-ChildItem IIS:\SslBindings # # View bindings for specific siteGet-WebBinding -Name "YourSiteName" -Protocol https # # View certificate detailed informationGet-ChildItem -Path Cert:\LocalMachine\My | Format-List Subject, Thumbprint, NotAfter

3. Common Errors and Solutions

Error: Intermediate certificate missing in certificate chain
Solution: Ensure PFX file contains complete certificate chain (domain certificate + intermediate certificate), use OpenSSL to merge before converting to PFX
Error: Certificate private key not found
Solution: Ensure PFX file contains private key, check if PFX password is correct
Error: This site cannot provide a secure connection
Solution:
  • Check if certificate is correctly bound to site
  • Verify if certificate has expired
  • Check if TLS protocol is enabled
  • Confirm firewall allows port 443
Error: SNI binding failed
Solution: Confirm IIS version is 8.0 or higher, check if hostname is correctly filled

4. Verify SSL Configuration

# # Use online tools to verifyhttps://www.ssllabs.com/ssltest/ https://myssl.com/ # # Use PowerShell to test connectionTest-NetConnection -ComputerName yourdomain.com -Port 443 # # Use OpenSSL to testopenssl s_client -connect yourdomain.com:443 -servername yourdomain.com

5. View IIS Logs

# # IIS log default locationC:\inetpub\logs\LogFiles\ # # Use PowerShell to view recent errorsGet-Content "C:\inetpub\logs\LogFiles\W3SVC*\*.log" -Tail 50 | Select-String "error"