You can install an SSL certificate on an Internet Information Services (IIS) server. This way, web services that run on the server is accessible over HTTPS. This topic describes how to install a certificate on an IIS server. In the example in this topic, a certificate is installed on an IIS 8 server that runs Windows Server 2012 R2.

Prerequisites

  • The web server on which you want to install a certificate is of the IIS type.

    The methods that you can use to install a certificate on a server vary based on the type of the server. For more information about the methods that you can use to install certificates on different types of web servers, see Install the certificate on your web server.

  • The certificate that you want to install is validated and issued by a certificate authority (CA).

    Before the CA validates the certificate, you must submit a certificate application. For more information, see Apply for a certificate. If the certificate fails to be validated, submit a ticket.

Step 1: Download the certificate to the IIS server

  1. Connect to the server that runs Windows Server 2012 R2.
    If you use an Elastic Compute Service (ECS) instance, you can use multiple methods to connect to the instance. For more information, see Connection methodsGuidelines on instance connection.
  2. Download the certificate to the server.
    Note You can download the certificate to a computer and upload the downloaded certificate to the server.
    1. Log on to the SSL Certificates Service console.
    2. In the left-side navigation pane, click SSL Certificates Service.
    3. Find the certificate and click Download in the Actions column.
    4. In the Download Certificate panel, find IIS and click Download in the Actions column. Download Certificate
      A certificate package for IIS is automatically downloaded to the default download directory of the current browser.
    5. Decompress the certificate package that you download.
      The following table describes the files that you can extract from the package. The files vary based on the CSR Generation parameter that you configure when you apply for a certificate. For more information about certificate signing requests (CSRs), see Required information for certificate application. CSR Generation
      Value of the CSR Generation parameter File extracted from the certificate package
      Automatic or Select Existing CSR The following files can be extracted:
      • Certificate file in the PFX format: The certificate file is named in the format Certificate ID_Domain name bound to the certificate.
      • Password file in the TXT format: The password file is named pfx-password and contains the password of the certificate.
        Notice A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.
      Manual You can extract only a certificate file in the PEM format. The certificate file is named in the format Certificate ID_Domain name bound to the certificate.pem.
  3. If the certificate file that you extract is in the PEM format, convert the certificate file to the PFX format. If the certificate file that you extract is in the PFX format, skip this step.
    You can use the OpenSSL tool to convert the certificate format. For more information, see Certificate format conversion.

Step 2: Import the certificate

  1. Press Win+R on the server to open the Run dialog box.
  2. Enter mmc and click OK. mmc
    The Microsoft Management Console (MMC) appears.
  3. Add a certificate snap-in to your computer.
    1. In the top menu bar of the MMC, choose File > Add/Remove Snap In. Add/Remove Snap-in
    2. In the Add or Remove Snap-ins dialog box, select Certificates from the Available snap-ins section and click Add. Add or Remove Snap-ins
    3. In the Certificates snap-in dialog box, select Computer account and click Next. Certificate snap In
    4. In the Select Computer dialog box, select Local computer: (the computer this console is running on) and click Finish. Select Computer
    5. In the Add or Remove Snap-ins dialog box, click OK. Add or remove snap-ins (added)
  4. In the left-side navigation pane of the MMC, choose Console Root > Certificates (Local Computer), right-click Personal, and then choose All Tasks > Import. Open the certificate import wizard
  5. Complete the certificate import wizard.
    1. Welcome to the Certificate Import Wizard: Click Next. Welcome to the Certificate Import Wizard
    2. Files to Import: Click Browse, select the PFX certificate file, and then click Next. File to Import
      Notice When you select the certificate file, you must set the file type to All Files (*.*).
      Import the certificate
    3. Private key protection: Open the private key file in the TXT format, copy the file content, paste the content in the Password field, and then click Next. Enter the private key of the certificate
    4. Certificate Store: Select Automatically select the certificate store based on the type of certificate and click Next. Configure Certificate Store
    5. Completing the Certificate Import Wizard: Click Finish. Completing the Certificate Import Wizard
    6. If the The import was successful message appears, click OK. Certificate Import Wizard-Import Successful

Step 3: Bind the certificate to a website

  1. Open IIS Manager.
  2. In the Connection navigation pane, expand the server, click Sites, and then click the domain name that you want to use.
  3. In the Actions pane, click Bindings. Bind
  4. In the Site Bindings dialog box, click Add. Site Bindings-Add
  5. In the Add Site Binding dialog box, configure the parameters for the website and click OK.
    Add Site BindingConfigure the following parameters:
    • Type: Select https.
    • IP address: Select the IP address of the server.
    • Port: Retain the default value 443.
      Note If you specify another port, such as 8443, the users who want to access the website must enter the port number and the domain name in the https://Domain name:Port number format in the address bar of a browser. For example, if you specify port 8443, the users must enter https://domain_name:8443 in the address bar to access the website. If you use the default port 443, the website users need only to enter https://domain_name in the address bar of the browser to access the website.
    • Host name: Enter the domain name of the website.
    • SSL certificate: Select the name of the certificate that you import. In this example, select alias.
      The value alias is the friendly name for a certificate that is issued by using SSL Certificates Service. If multiple certificates are imported, click Select. In the Select Certificate dialog box, search for the certificate that you want to bind by domain name. Select Certificate
    After you configure the parameters, you can view the added binding of the https type in the Site Bindings dialog box. Site Bindings-https
  6. In the Site Bindings dialog box, click Close.

Step 4: Verify that the certificate is installed on the IIS server

Open a browser on your computer. In the address bar, enter a domain name that is bound to the certificate to check whether the certificate is installed on the IIS server.

If you receive a response and the Lock icon icon appears at the start position of the address bar, an HTTPS connection is established and the certificate is installed. Lock icon