Transferring IIS 7 Certificate Files

Background

Want an easier way to export? Our management & troubleshooting tool works on all Windows-based servers.

Windows servers use .pfx files to contain the public key files (your SSL Certificate files, provided by DigiCert) and the associated private key file (generated by your server as part of the CSR).

Since both the public and private keys are needed for an SSL Certificate to function, you need a .pfx backup to transfer SSL server security certificates from one server to another.

This page explains how to back up your certificate on a working server, import the certificate to another server, and then enable the certificate for use on the new server. If you have not yet installed the certificate files that you received from DigiCert on the server that generated your CSR, please see our IIS 7 installation instructions page.

Exporting/Backing Up to a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Choose Yes, export the private key and include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  8. Leave the default settings and then enter your password if required.
  9. Choose to save the file and then click Finish. You should receive an "export successful" message. The .pfx file is now saved to the location you selected.

Importing from a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Enabling a New Certificate on a Server

  1. On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.
  2. In the IIS Manager, click the server name.
  3. Expand the sites folder.
  4. Select the site that you want to secure (usually the default website).
  5. On the actions menu in the edit site section, click Bindings.

  6. In the site bindings window, click Add. If a binding for https already exists, select the https binding and click Edit.

  7. Fill out the information in the add site binding window. In the type drop-down choose https. Set the IP address to the IP address of the site or choose all unassigned. The port for SSL traffic is usually 443. Enter the recently imported certificate in the SSL Certificate field.

  8. Click OK. Your SSL Certificate is now installed and the website is configured to accept secure connections. You may have to restart IIS or the server for it to recognize the new certificate.