This guide walks you through the full process of generating a certificate signing request (CSR), submitting it to a certification authority (CA), installing the certificate, and binding it to a website in Internet Information Services (IIS) on Windows Server 2025.
Generate a Certificate Signing Request (CSR)
Generate the request using the Certificates snap-in in Microsoft Management Console (MMC).
Step 1: Open the Certificates Snap-In
- Press Windows + R, type mmc, and press Enter.
- Go to File > Add/Remove Snap-in.
- Select Certificates and click Add.
- Choose Computer account, then click Next.
- Select Local computer and click Finish.
- Click OK to close the Add/Remove window.
Step 2: Start the CSR Wizard
- In the left pane, expand Certificates (Local Computer).
- Right-click Personal and select:
- All Tasks → Advanced Operations → Create Custom Request
Step 3: Configure the Request
- On the Certificate Enrollment page, click Next.
- Select Proceed without enrollment policy and click Next.
- On the “Certificate Information” page, expand Details and click Properties.
- On the General tab:
- Enter a friendly name, e.g., WS25-IIS Certificate.
- On the Subject tab:
- Under Subject name, choose Common Name.
- Enter the fully qualified domain name (FQDN), e.g. ws25-iis.windowserver.info.
- Click Add.
- Under Alternative name, choose DNS.
- Enter the same FQDN and click Add.
- On the Extensions tab:
- Under Key Usage, ensure Digital Signature and Key Encipherment are selected.
- Under Extended Key Usage, add Server Authentication.
- On the Private Key tab:
- Under Cryptographic Provider, select
RSA, Microsoft Software Key Storage Provider. - Set Key size to 2048 bits.
- Check Make private key exportable and
Allow private key to be archived. - Click Apply, then OK, and then Next.
Step 4: Save the Request
- Choose a location to save the request file (e.g. C:\Temp).
- Ensure the format is set to Base 64.
- Provide a filename such as SSLRequest.req.
- Click Finish.
You can open the file in Notepad to verify the Base64-encoded request text.
Submit the CSR to a Certification Authority
You can use an internal Windows CA or a public CA. The example below assumes a web enrollment interface.
Step 1: Open the CA Web Enrollment Page
Navigate to your CA’s enrollment site. If the server does not trust the CA, you may receive a warning. You'll need to or install the CA certificate as needed.
Step 2: Submit an Advanced Certificate Request
- Select Request a certificate.
- Choose advanced certificate request.
- Open the CSR in Notepad, copy the Base64 text, and paste it into the request form.
- Click Submit.
Step 3: Approve the Request (if required)
If your CA requires approval, sign in to the CA server and approve the pending request.
Step 4: Download the Issued Certificate
- Return to the CA web enrollment page.
- View the status of pending requests.
- Locate your request and select it.
- Choose the Base 64 encoded certificate format.
- Download the certificate.
- Save it to a known location and rename it meaningfully (e.g. WS25-IIS-Cert.cer).
Install the SSL Certificate
- Double-click the .cer file to open it.
- Click Install Certificate.
- Choose Local Machine as the store location.
- When prompted for the store, select:
- Place all certificates in the following store
- Choose Personal
- Click Next, then Finish.
- Confirm the success message by clicking OK.
The certificate is now imported and available for use by IIS.
Bind the Certificate in IIS
Step 1: Open IIS Manager
- Open Server Manager or search for IIS Manager.
- In the left pane, expand the server and select your website (e.g., Default Web Site).
Step 2: Add an HTTPS Binding
- In the Actions pane, click Bindings.
- In the Site Bindings window, click Add.
- Select:
- Type: https
- Hostname: the FQDN used in the certificate (e.g., ws25-iis.windowserver.info)
- SSL Certificate: choose the certificate you installed (e.g. WS25-IIS Certificate)
- Click OK, then Close.
Test the HTTPS Connection
- Open Microsoft Edge (or your preferred browser).
- Browse to the site using https:// and the FQDN.
- Example: https://ws25-iis.windowserver.info
- Confirm you see the IIS default page (or your site’s content).
- Click the padlock in the address bar:
- Verify the certificate is valid.
- Check the certificate details if desired.
If the page loads securely without warnings, the certificate is installed and bound correctly.