IIS 8 and IIS 8.5: Transferring SSL Certificate Files

Are you looking for a simpler way to export your SSL Certificate file as a .pfx file? Our DigiCert® Certificate Utility for Windows works on all Windows-based servers.

Background

Windows servers use .pfx files to contain the public key file (SSL Certificate file) and the associated private key file. DigiCert provides your SSL Certificate file (public key file). You use your server to generate the associated private key file as part of the CSR.

You need both the public and private keys for an SSL Certificate to function; therefore, if you need to transfer SSL server security certificates from one server to another, you need to create a .pfx backup.

The instructions on this page explain how to do the following tasks:

Exporting/Backing Up to a .pfx File

Before you can export your SSL Certificate as a .pfx file, you must first install the SSL Certificate files that you received from DigiCert on the server that generated your CSR. For information on how to install your SSL Certificate, see IIS 8 and IIS 8.5 Certificate Installation.

  1. From the Start screen, type and then click Run.

  2. In the Run window, in the Open box, type mmc and then, click OK.

  3. In the User Account Control window, click Yes to allow the Microsoft Management Console to make changes to the computer.

  4. In the Console window, in the menu at the top, click File > Add/Remove Snap-in.

  5. In the Add or Remove Snap-ins window, under Available snap-ins (left side), click Certificates and then, click Add.

    IIS8 UI Add Certificates

  6. In the Certificates snap-in window, select Computer account and then, click Next.

    IIS8 Certificates Snap-in Window

  7. In the Select Computer window, select Local computer: (computer this console is running on), and then, click Finish.

    IIS8 Certificates Select Computer Window

  8. In the Add or Remove Snap-ins window, click OK.

  9. In the Console window, in the Console Root section, expand Certificates (Local Computer), expand the folder that contains the certificate that you want to export/back up, and then, click the associated Certificates folder.

    Note:    Your certificate will be in either the Personal or the Web Hosting folder.

    IIS8 Console Window

  10. In the center section, right-click on the certificate that you want to export/back up and then, click All Tasks > Export to open the Certificate Export Wizard.

  11. On the Welcome to the Certificate Export Wizard page, click Next.

  12. On the Export Private Key page, select Yes, export the private key, and then, click Next.

    IIS8 Export File Key

  13. On the Export File Format page, select Personal Information Exchange, check Include all certificates in the certification path if possible, and then, click Next.

    Warning:    Do not select Delete the private key if the export is successful.

    IIS8 Export File Format

  14. On the Security page, check Password, enter and confirm your password, and then, click Next.

  15. On the File to Export page, browse to and select the file that you want to export/back up and then, click Next.

    Make sure to note the filename and the location where you saved your file.
    If you only enter the filename without selecting a location, your file is saved to the following location: C:\Windows\System32.

  16. On the Completing the Certificate Export Wizard page, verify that the settings are correct and then, click Finish.

  17. You should receive "The export was successful" message.

    The .pfx file is now saved to the location that you selected.

Importing From a .pfx File

  1. From the Start screen, type and then click Run.

  2. In the Run window, in the Open box, type mmc and click OK.

  3. In the User Account Control window, click Yes to allow the Microsoft Management Console to make changes to the computer.

  4. In the Console window, in the menu at the top, click File > Add/Remove Snap-in.

  5. In the Add or Remove Snap-ins window, under Available snap-ins (left side), click Certificates and then, click Add.

    IIS8 UI Add Certificates

  6. In the Certificates snap-in window, select Computer account and then, click Next.

    IIS8 Certificates Snap-in Window

  7. In the Select Computer window, select Local computer: (computer this console is running on) and then, click Finish.

    IIS8 Certificates Select Computer Window

  8. In the Add or Remove Snap-ins window, click OK.

  9. In the Console window, in the Console Root section, expand Certificates (Local Computer).

    IIS8 UI Import Certificate

  10. Right-click on the Personal folder and then, click All Tasks > Import to open the Certificate Import Wizard.

  11. On the Welcome to the Certificate Import Wizard page, click Next.

  12. Follow the instructions in the certificate import wizard to import your primary certificate from the .pfx file.

    Note:    On the Certificate Store page, select Automatically select the certificate store based on the type of certificate.

    IIS8 Certificate Store

  13. On the Completing the Certificate Import Wizard page, verify your settings and then, click Finish.

  14. You should receive “The import was successful” message.

  15. After you import the SSL Certificate .pfx file, you need to enable the new certificate on the server.

    For a website without a binding for https, see Enabling a New Certificate on a Server (Does Not Have Binding for https).
    For a website with a binding for https, see Enabling a New Certificate on a Server (Has Binding for https).

Enabling a New Certificate on a Server (Does Not Have Binding for https)

  1. From the Start screen, type and click Internet Information Services (IIS) Manager

  2. In Internet Information Services (IIS) Manager, under Connections, expand your server’s name, expand Sites, and then, click the site that you want to secure (usually the default website).

  3. In the Actions menu, under Edit Site, click Bindings.

    IIS8 UI Edit Bindings

  4. In the Site Bindings window, click Add.

    IIS8 Site Bindings Window

  5. In the Add Site Binding window, enter the following information:

    Type: In the drop-down list, select https.
    IP address: In the drop-down list, select All Unassigned.
    Port: Enter 443. The port for SSL traffic is usually port 443.
    SSL certificate: In the drop-down list, select your recently imported SSL Certificate by its friendly name.

    IIS8 Add Site Binding Window

  6. Click OK. Your SSL Certificate is now installed and the website is configured to accept secure connections.

    Note:    You may have to restart IIS or the server for it to recognize the new certificate.

Enabling a New Certificate on a Server (Has Binding for https)

  1. From the Start screen, type and click Internet Information Services (IIS) Manager

  2. In Internet Information Services (IIS) Manager, under Connections, expand your server’s name, expand Sites, and then, click the site that you want to secure (usually the default website).

  3. In the Actions menu, under Edit Site, click Bindings.

    IIS8 UI Edit Bindings

  4. In the Site Bindings window, select binding for https, and then click Edit.

    IIS8 Site Bindings Window

  5. In the Edit Site Binding window, enter the following information:

    IP address: In the drop-down list, select All Unassigned. If your server has multiple IP addresses, select the one that applies.
    Host name: If you are using Server Name Indication, enter the hostname that you are securing.
    Require Server Name Indication If you are using Server Name Indication, check this check box.
    SSL certificate: In the drop-down list, select your recently imported SSL Certificate by its friendly name.

    IIS8 Edit Site Bindings Window

  6. Click OK.

    Your SSL Certificate is now installed, and the website is configured to accept secure connections.

    Note:    You may have to restart IIS or the server for it to recognize the new certificate.