Alibaba Cloud SSL Certificates Service allows you to download an SSL certificate and install it on an Internet Information Services (IIS) server. This way, HTTPS can be enabled on the IIS server. This topic describes how to install an SSL certificate on an IIS server.


  • An IIS server is installed and port 443 is enabled on your IIS server. This port is the default port for the HTTPS service.
  • The OpenSSL tool is installed.
  • An SSL certificate is downloaded for your IIS server. For more information about how to download SSL certificates, see Download certificates.
    Note When you apply for an SSL certificate, you must select Automatic for CSR Generation. If you select Manual, no certificate file is generated. You must find Other in the Server Type column, download the CRT certificate file, and then run the openssl command to convert the format of the certificate file from CRT to PFX.


  1. Log on to the SSL Certificates Service console.
  2. On the SSL Certificates Service page, find the certificate that you want to download, and click Download in the Actions column.
  3. Find IIS in the Server Type column and click Download in the Actions column to download the IIS certificate package to your on-premises computer.
  4. Decompress the IIS server certificate package that you downloaded.
    Two files are extracted, including a certificate file suffixed with PFX or of the PFX file format and a key file suffixed with TXT or of the TXT file format. Certificate files
    Note A new password file is generated each time you download the certificate. The password is valid only for the certificate you download that time. If you need to update the certificate file, update the matching key file accordingly.
  5. Log on to the Windows server where your IIS server is installed.
  6. In IIS Manager, import the extracted IIS server certificate file.
    1. On the Windows server where the IIS server is installed, choose Start > Run > MMC to open IIS Manager.
    2. Choose File > Add/Remove Snap-in.
      Add/Remove Snap-in
    3. In the Available snap-ins list, select Certificates and click Add. In the Certificates snap-in dialog box, select Computer Account. Click Next. In the Select Computer dialog box, select Local computer: (the computer this console is running on).
    4. In the left-side navigation pane of the console, click Certificates under Console Root to expand the certificate list.
      Expand the certificate tree list
    5. Right-click Personal and choose All Tasks > Import. In the Certificate Import Wizard, click Next.
      Open the Certificate Import Wizard
    6. In the File to Import step, click Browse to import the downloaded PFX certificate file, and then click Next.
      Import certificates
      Note In the Open dialog box, select All Files (*.*) from the file type drop-down list on the right of File name.
    7. Enter the password that is in the certificate key file and click Next.
      You can open the pfx-password.txt file in the downloaded IIS server certificate file to retrieve the password. Enter the certificate key
    8. Select Automatically select the certificate store based on the type of certificate and click Next to complete the import.
      Select certificate store
  7. Assign a certificate for the server.
    1. Open IIS Manager (IIS 8.0), find the website where you want to install the certificate, and then click Bind.
    2. In the Site Bindings dialog box, choose Add > https > 443 > SSL certificate > OK.
      Note The default port for SSL is port 443, which cannot be changed. If you use other ports, such as 8443, enter to visit the website.

What to do next

After you complete certificate installation, you can verify it by accessing the domain name that is bound to the certificate.   # Replaces with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.

If your website cannot be accessed over HTTPS after the certificate is installed, check whether the port 443 on the server where you install the certificate is enabled or blocked by other tools. If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, log on to the ECS console and allow inbound traffic to the port 443 on the Security Groups page.