Requesting and Installing an SSL Certificate for Internet Information Server (IIS)

OrinThomas

Microsoft

Oct 09, 2025

This guide walks you through the full process of generating a certificate signing request (CSR), submitting it to a certification authority (CA), installing the certificate, and binding it to a website in Internet Information Services (IIS) on Windows Server 2025.

Generate a Certificate Signing Request (CSR)

Generate the request using the Certificates snap-in in Microsoft Management Console (MMC).

Step 1: Open the Certificates Snap-In

Press Windows + R, type mmc, and press Enter.
Go to File > Add/Remove Snap-in.
Select Certificates and click Add.
Choose Computer account, then click Next.
Select Local computer and click Finish.
Click OK to close the Add/Remove window.

Step 2: Start the CSR Wizard

In the left pane, expand Certificates (Local Computer).
Right-click Personal and select:

All Tasks → Advanced Operations → Create Custom Request

Step 3: Configure the Request

On the Certificate Enrollment page, click Next.
Select Proceed without enrollment policy and click Next.
On the “Certificate Information” page, expand Details and click Properties.
On the General tab:

Enter a friendly name, e.g., WS25-IIS Certificate.

On the Subject tab:

Under Subject name, choose Common Name.
Enter the fully qualified domain name (FQDN), e.g. ws25-iis.windowserver.info.
Click Add.
Under Alternative name, choose DNS.
Enter the same FQDN and click Add.

On the Extensions tab:

Under Key Usage, ensure Digital Signature and Key Encipherment are selected.
Under Extended Key Usage, add Server Authentication.

On the Private Key tab:

Under Cryptographic Provider, select
RSA, Microsoft Software Key Storage Provider.
Set Key size to 2048 bits.
Check Make private key exportable and
Allow private key to be archived.

Click Apply, then OK, and then Next.

Step 4: Save the Request

Choose a location to save the request file (e.g. C:\Temp).
Ensure the format is set to Base 64.
Provide a filename such as SSLRequest.req.
Click Finish.

You can open the file in Notepad to verify the Base64-encoded request text.

Submit the CSR to a Certification Authority

You can use an internal Windows CA or a public CA. The example below assumes a web enrollment interface.

Step 1: Open the CA Web Enrollment Page

Navigate to your CA’s enrollment site. If the server does not trust the CA, you may receive a warning. You'll need to or install the CA certificate as needed.

Step 2: Submit an Advanced Certificate Request

Select Request a certificate.
Choose advanced certificate request.
Open the CSR in Notepad, copy the Base64 text, and paste it into the request form.
Click Submit.

Step 3: Approve the Request (if required)

If your CA requires approval, sign in to the CA server and approve the pending request.

Step 4: Download the Issued Certificate

Return to the CA web enrollment page.
View the status of pending requests.
Locate your request and select it.
Choose the Base 64 encoded certificate format.
Download the certificate.
Save it to a known location and rename it meaningfully (e.g. WS25-IIS-Cert.cer).

Install the SSL Certificate

Double-click the .cer file to open it.
Click Install Certificate.
Choose Local Machine as the store location.
When prompted for the store, select:

Place all certificates in the following store
Choose Personal

Click Next, then Finish.
Confirm the success message by clicking OK.

The certificate is now imported and available for use by IIS.

Bind the Certificate in IIS

Step 1: Open IIS Manager

Open Server Manager or search for IIS Manager.
In the left pane, expand the server and select your website (e.g., Default Web Site).

Step 2: Add an HTTPS Binding

In the Actions pane, click Bindings.
In the Site Bindings window, click Add.
Select:

Type: https
Hostname: the FQDN used in the certificate (e.g., ws25-iis.windowserver.info)
SSL Certificate: choose the certificate you installed (e.g. WS25-IIS Certificate)