Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range

Install a Microsoft IIS7 certificate

You received your certificate by email. Keep it within reach.

1- Retrieve your certificate on your server

Download the overall file (.p7b) indicated in the delivery mail and save it on your desktop.

Warning: If you are using a X509 certificate (.cer) you will have to install manually intermediate certificates and root certificate. It is way faster to follow this new installation procedure.

2- Import the certificate

  • Open the Internet Information Services Manager. Select the concerned web server in the left panel. Double-click on the server Certificates icon on the left.
  • In the Action panel, click on Complete Certificate Request... 

  • In the dialog box, click on Browser, apply the filter to *.* and select the file in which you have downloaded your certificate. Click on "Open".
  • Give your certificate a unique name (do not use accents nor characters: ! @ # $ % ^ * ( ) ~ ? > < & / \:), then OK.

IMPORTANT: IIS7 often retur an error saying "Cannot find the certificate request associated with this certificate file.' Despite of this bug, the certificate is usually well installed only without the single name. Then you need to check that it has actualy been added to the list. If so keep going with the procedure here under without taking notice of the alert.

3- Configure an HTTPS binding

  • Still in the Internet Information Services Manager, select the concerned website in the left panel.

  • In the Actions pane, click on "Bindings"
  • Click on "New"
  • Select "HTTPS" protocol
  • Choose the certificate you imported previously

Microsoft error messages

You may encounter error messages while importing a certificate (.p7b or .cer).
(Errors listed by Microsoft here:

  • "Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created."

  • "There was an error while performing this operation Details: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN:276)"

This issue occurs because IIS Manager performs a lookup operation to look for a friendly name of the certificate during the installation. However, the code that performs this lookup operation misses this specific case, and it does not know how to retrieve the friendly name of a certificate in a PKCS#7 file. Therefore, the lookup operation fails, and you receive the error message.


To resolve this problem, add a friendly name to the certificate. To do this, follow these steps:

  • Click Start, click Run, type certmgr.mmc, and then click OK.
  • Locate the certificate (in "personal" / "certificates").
  • Right-click the certificate, and then click Properties.
  • Edit the Friendly name field.

Other possible error message

  • A certificate chain could not be built to a trusted root authority

This error message appears when the root certificate of the certification chain is not from the Windows certificate store.


You have to manually import the root certificate and the certification chain. These elements are available on the certificate status page, "View certificate" button. Once everything is imported, you can retry the operation with your .p7b certificate

4- Run a test

Now test your secured website access with IE and Firefox. With IE 7 and Firefox 3 you may see an error message indicating the non-correspondence of the sites' names. It is normal, it is a local test.

On your certificate status page, you'll see a 'Check your certificate' button. Click it to test the installation of your certificate.


For security matters, it is advised to:

And discover IIS Crypto by Nartac, a toolthat will help you do modifications in IIS (compatible with IIS6).

There us also a powershell script to apply all those security recommandations: external link.

Possible scenario

"SSL Handcheck error" or SSL does not start

Make sure our certificate and its private key have been correctly installed. To do so, launch the MMC of your Windows server. Your certificate may have been placed in "container user" instead of " local computer" (due to a window bug).
You can troubleshoot with a local exportation and then a re-importation in the local computer.

Useful links