Blog Post

ITOps Talk Blog
3 MIN READ

Requesting and Installing an SSL Certificate for Internet Information Server (IIS)

OrinThomas's avatar
OrinThomas
Icon for Microsoft rankMicrosoft
Oct 09, 2025

This guide walks you through the full process of generating a certificate signing request (CSR), submitting it to a certification authority (CA), installing the certificate, and binding it to a website in Internet Information Services (IIS) on Windows Server 2025.

 

Generate a Certificate Signing Request (CSR)

Generate the request using the Certificates snap-in in Microsoft Management Console (MMC).

Step 1: Open the Certificates Snap-In

  1. Press Windows + R, type mmc, and press Enter.
  2. Go to File > Add/Remove Snap-in.
  3. Select Certificates and click Add.
  4. Choose Computer account, then click Next.
  5. Select Local computer and click Finish.
  6. Click OK to close the Add/Remove window.

Step 2: Start the CSR Wizard

  1. In the left pane, expand Certificates (Local Computer).
  2. Right-click Personal and select:
    • All TasksAdvanced OperationsCreate Custom Request

Step 3: Configure the Request

  1. On the Certificate Enrollment page, click Next.
  2. Select Proceed without enrollment policy and click Next.
  3. On the “Certificate Information” page, expand Details and click Properties.
  4. On the General tab:
    • Enter a friendly name, e.g., WS25-IIS Certificate.
  5. On the Subject tab:
    • Under Subject name, choose Common Name.
    • Enter the fully qualified domain name (FQDN), e.g. ws25-iis.windowserver.info.
    • Click Add.
    • Under Alternative name, choose DNS.
    • Enter the same FQDN and click Add.
  6. On the Extensions tab:
    • Under Key Usage, ensure Digital Signature and Key Encipherment are selected.
    • Under Extended Key Usage, add Server Authentication.
  7. On the Private Key tab:
    • Under Cryptographic Provider, select
      RSA, Microsoft Software Key Storage Provider.
    • Set Key size to 2048 bits.
    • Check Make private key exportable and
      Allow private key to be archived.
  8. Click Apply, then OK, and then Next.

 

Step 4: Save the Request

  1. Choose a location to save the request file (e.g. C:\Temp).
  2. Ensure the format is set to Base 64.
  3. Provide a filename such as SSLRequest.req.
  4. Click Finish.

You can open the file in Notepad to verify the Base64-encoded request text.

Submit the CSR to a Certification Authority

You can use an internal Windows CA or a public CA. The example below assumes a web enrollment interface.

Step 1: Open the CA Web Enrollment Page

Navigate to your CA’s enrollment site. If the server does not trust the CA, you may receive a warning. You'll need to or install the CA certificate as needed.

Step 2: Submit an Advanced Certificate Request

  1. Select Request a certificate.
  2. Choose advanced certificate request.
  3. Open the CSR in Notepad, copy the Base64 text, and paste it into the request form.
  4. Click Submit.

Step 3: Approve the Request (if required)

If your CA requires approval, sign in to the CA server and approve the pending request.

Step 4: Download the Issued Certificate

  1. Return to the CA web enrollment page.
  2. View the status of pending requests.
  3. Locate your request and select it.
  4. Choose the Base 64 encoded certificate format.
  5. Download the certificate.
  6. Save it to a known location and rename it meaningfully (e.g. WS25-IIS-Cert.cer).

Install the SSL Certificate

  1. Double-click the .cer file to open it.
  2. Click Install Certificate.
  3. Choose Local Machine as the store location.
  4. When prompted for the store, select:
    • Place all certificates in the following store
    • Choose Personal
  5. Click Next, then Finish.
  6. Confirm the success message by clicking OK.

The certificate is now imported and available for use by IIS.

Bind the Certificate in IIS

Step 1: Open IIS Manager

  1. Open Server Manager or search for IIS Manager.
  2. In the left pane, expand the server and select your website (e.g., Default Web Site).

Step 2: Add an HTTPS Binding

  1. In the Actions pane, click Bindings.
  2. In the Site Bindings window, click Add.
  3. Select:
    • Type: https
    • Hostname: the FQDN used in the certificate (e.g., ws25-iis.windowserver.info)
    • SSL Certificate: choose the certificate you installed (e.g. WS25-IIS Certificate)
  4. Click OK, then Close.

Test the HTTPS Connection

  1. Open Microsoft Edge (or your preferred browser).
  2. Browse to the site using https:// and the FQDN.
    • Example: https://ws25-iis.windowserver.info
  3. Confirm you see the IIS default page (or your site’s content).
  4. Click the padlock in the address bar:
    • Verify the certificate is valid.
    • Check the certificate details if desired.

If the page loads securely without warnings, the certificate is installed and bound correctly.

Updated Oct 09, 2025
Version 3.0
No CommentsBe the first to comment