How to Install an SSL Certificate on Windows Server 2012, 2016, 2019 & 2022 (IIS)?

How to Install an SSL Certificate on Windows Server 2012, 2016, 2019 & 2022 (IIS)?

🔍 Purpose

This article outlines step-by-step instructions to install and configure an SSL certificate on Windows Server using IIS Manager for different versions (2012 – 2022). This ensures secure HTTPS communication on websites hosted through IIS.

📦 Requirements

RequirementDescription
SSL CertificateA valid certificate from a Certificate Authority (CA)
IIS RoleInstalled on your Windows Server
Admin RightsLocal Administrator privileges
CSRYou must have already generated a Certificate Signing Request (CSR)

🧰 Supported Platforms

Windows Server VersionIIS Version
Windows Server 2012IIS 8.0
Windows Server 2016IIS 10.0
Windows Server 2019IIS 10.0
Windows Server 2022IIS 10.0

⚠ All steps below apply to all supported versions unless explicitly noted otherwise.

📥 Step 1: Install Intermediate and Root Certificates (Optional but Recommended)

  1. Double-click each .crt or .p7b file from the CA.

  2. Click Install Certificate.

  3. Choose Local Machine and click Next.

  4. Select Place all certificates in the following store:

    • Use Trusted Root Certification Authorities for root.

    • Use Intermediate Certification Authorities for intermediates.

  5. Finish the wizard.

📄 Step 2: Import SSL Certificate to IIS

A. Open IIS Manager

  1. Press Win + R, type inetmgr, press Enter.

  2. In the Connections pane, click the Server Name (not the site).

  3. Double-click Server Certificates.

B. Complete the Certificate Request

  1. Click Complete Certificate Request… in the Actions panel.

  2. Browse to your certificate file (.cer or .crt) from the CA.

  3. Add a Friendly Name (e.g., example.com-2025).

  4. Select Personal certificate store.

  5. Click OK.

✅ You should now see the certificate listed in the Server Certificates panel.

🌐 Step 3: Bind Certificate to Website in IIS

  1. In IIS Manager, expand Sites > select your target website.

  2. Click Bindings… from the right Actions pane.

  3. In the Site Bindings window:

    • Click Add (or select existing HTTPS binding and click Edit).

    • Type: https

    • IP Address: Choose server IP or All Unassigned

    • Port: 443

    • Hostname: (Optional – required if using SNI)

    • SSL Certificate: Select your certificate by friendly name.

  4. Click OK, then Close the Bindings window.

🔄 Step 4: Restart IIS

You can restart the IIS service to apply changes.

Method 1 – Using Command Line:

bash
iisreset

Method 2 – Using IIS Manager:

  1. Select the server node.

  2. Click Restart in the Manage Server section.

✅ Step 5: Validate SSL Installation

🛠️ Troubleshooting

IssueResolution
Cert not in dropdown during bindingEnsure the CSR and the installed cert match.
Private key missingImport the certificate via .pfx with private key.
Browser says untrustedInstall missing intermediate/root certs.
Port 443 not respondingEnsure it is open in Windows Firewall and not used by other services.
SNI needed for multiple HTTPS sitesEnable “Require Server Name Indication” in binding.

📝 Optional: Install a .pfx Certificate (with Private Key)

If you have a .pfx file (often exported from another server):

  1. Go to Server Certificates > click Import…

  2. Browse to .pfx, enter the password, and select Allow export if needed.

  3. Click OK, and it will appear in the list.

📁 Related Articles

🔒 Best Practices

  • Use 2048-bit or higher key length.

  • Renew SSL before expiry (30 days recommended).

  • Enable TLS 1.2 or higher; disable older protocols via Group Policy or registry.