Installing an SSL certificate on a Microsoft IIS

Installing a certificate on a Microsoft IIS web server requires certificate files and its key.

For example, consider installing a Sectigo SSL certificate.

We have 4 certificate files and the certificate key itself:

  1. domain_name.key - The private key of the certificate, which is generated by creating a Certificate Signing Request (CSR)
  2. domain_name.crt - SSL domain certificate
  3. AAACertificateServices.crt - root certificate
  4. SectigoRSADomainValidationSecureServerCA.crt - intermediate certificate
  5. USERTrustRSAAAACA.crt - intermediate certificate

Combine the root and intermediate certificates:

cat AAACertificateServices.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt > CACert.crt


openssl pkcs12 -export -out domain_name.pfx -inkey domain_name.key -in domain_name.crt -certfile CACert.crt

If you get an error like:

unable to load private key

then check the domain_name.key file to make sure it contains entries:



During the conversion, specify the password for the certificate, you will need it during the installation of the certificate in Windows.

Now the file domain_name.pfx, can be loaded into Windows. To do this perform:

  1. Press "Start" and select "Run".
  2. At "Run" enter "MMC" and press "OK". MMC will open.
  3. Click on the File window and select "Add / Remove Snap-In".
  4. Find "Certificates" and press "Add".
  5. Select "Computer Account" and press "Next".
  6. Select "Local Computer" and press "Finish".
  7. Click "OK" to close the "Add / Remove Snap-In" window.
  8. Double click on "Certificates (Local Computer)" in the center of the window.
  9. Right click on the "Personal" folder.
  10. Select "All tasks" and click on "Import".
  11. Follow "Certificate Import Wizard" to import the "Primary Certificate" from .PFX file.
  12. Select the .PFX and enter the password we had set during the converted certificate.
  13. When prompted, select "Automatically select the certificate store based on the type of certificate".
  14. Click "Finish" to close the Certificate Import Wizard.

Next, you need to bind the certificate to the domain itself:

Open IIS and select the desired site and select "Bindings":

Click Add.

In the Type field, select https, in the SSL certificate field, the certificate you added earlier.

Press OK, then 443 port should be added