Install a PFX file on IIS7 or IIS8
This procedure allows you to install a PFX file. This file can be generated in the case of a server migration, or when creating a backup file.
If you have generated your private key with our Keybot tool ("Automatic" method), you can generate a PFX file directly from the certificate status page, by clicking on the "Generate PFX/PEM" button (more info on Keybot).
NB: This procedure also applies if you have a PKCS#12 file with a .p12 extension containing your certificate, its private key and its certification chain. Indeed, the .pfx and .p12 extensions correspond to the same type of file.
1- Launch the MMC
- Click Start, select Run and enter mmc
- Click File and select Add/Remove Snap in
- Click Add, select Certificates in the Standalone Snap-in list and click Add
- Select Computer Account and click Next
- Select Local Computer and click Finish
- Close the window and click OK in the upper window
2- Import the PFX file
- Go to the Personal Certificates repertory
- Right click on it and select All tasks > Import
- Via the wizard, search for your .pfx file
- Enter your.pfx opening password
- check the box to "Mark this key as exportable"
- Finally, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
- Click Finish
- Close the MMC
3.1 - Bind the certificate in IIS 7
- Go to the Administrative Tools, then Internet Information Services (IIS) Manager and select the website among the list on the left.
- In the Action panel, click on Bindings
- Click New
- Select the "https" protocol
- Select the certificate you imported
3.2 - Bind the certificate in IIS 8
Via the web interface, the installation process is similar to IIS7. It is also possible to make the link via the PowerShell
New-WebBinding -Name "SITE_NAME" -Protocol https -Port 443 -HostHeader www.domain.com -SslFlags 1
The value of -SslFlags is either 0 (without SNI) or 1 (with SNI) if you use the local store (versus store in CCS which is not explained here).
You can chck the installation with
netsh http show sslcert
4- Run a test
Check the access of your website's secured pages with IE 6 and Firefox. IE 7 and Firefox 3 may display an error message to tell you the site names are not matching, as you are running a local test.Useful links
For security matters, it is advised to:
- disable SSLv2 and SSLv3. See Microsoft documentation: http://support.microsoft.com/kb/187498
- IIS Crypto: Tool developed by Nartac that allows you to customize protocol and cipher support on Windows.
Conversions and platforms changement:
- Import a pfx (or pkcs12) in IIS 5 or 6
- Install intermediate or root certificates manually
- Convert a #PKCS12 (PFX) into a JKS (Apache/Microsoft to Tomcat)
- Convert a #PKCS12 (PFX) into a PEM (Mircosoft, Firewall, ... to Apache)
- I used Keybot during the order process (.pkey file downloaded): Ho to obtain a PFX?