picture of tbs certificates
picture of tbs certificates
Our products range

Install a certificate with Microsoft IIS8.X+ and Windows Server 2012+.

Retrieve your certificate on your server

You can only use this method if you generated your CSR on Windows. If you used our tool Keybot, please consult our pfx importation guide.

  • Retrieve your certificate in format p7b (global install file) by following the link provided in the delivery email or via your certificate status page.
  • Create/move the p7b file on your server.

Import the certificate

  • Launch Internet Information Services (IIS) Manager from Administrative tools.

  • Administrative tools
    Manager IIS

  • Select Server Certificates

  • Server Certificates

  • Select Complete Certificate Request in the menu Actions menu of the right window.

  • Menu
  Complete Certificate Request

  • Then select your p7b file and give it a recognizable name and a store.

  • Dialogue Complete Certificate Request

  • Then validate to add your certificate.

  • It should now be available in your certificates list.

  • Certificates list

Link the certificate

  • In Internet Information Services (IIS) Manager, select your website.

  • Site view

  • Select the Bindings option of the Actions located on the right side of the window.

  • Binding - Action menu

  • Then select Add

  • Add button

  • Then select HTTPS and the previously added certificate.

  • Certificate binding

SNI case

If you need to install several certificates for different domains with the same IP address, you need to activate the SNI protocol by enabling the "Require server name indication" checkbox.

Possible error

It is possible that when you activate the SNI, and your installation is correct, the certificate presented by your server is not the right one and the SSL_ERROR_BAD_CERT_DOMAIN error is displayed.

In this case, it is necessary to check that there are no old certificates or bindings that could interfere with the proper functioning of the server.

  • In the certificates MMC, in the personal folder, check that you only have valid certificates. If necessary, export the expired certificates with the private key, and then delete them from the MMC.

  • Start a command prompt with Administrator rights, and type the following command:
        netsh http show sslcert
    This command lists all active bindings between your certificate(s) and the associated domain(s).

If in the list of bindings, one of the certificates is attached to an IP address, it is not good. Here is an example:

    IP address:port         :

You must remove this link with the following command:

    netsh http delete sslcert ipport={localIPAddress}:{port}

Using the example above, this gives:

    netsh http delete sslcert ipport=

Security recommendations

And discover IIS Crypto by NARTAC, a toolthat will help you do modifications in IIS (compatible with IIS6).

The is also a powershell script aloowing to apply all those security recommandations: external link.

Useful links