How to Configure SSL Certificate in IIS (Windows Server 2019 / 2022)

Overview

IIS SSL configuration involves two distinct actions that beginners often confuse: importing the certificate into Windows Certificate Store, and then binding it to a specific site in IIS. Miss the second step and your site stays on HTTP even though the certificate is sitting right there on the server.

You’ll need this guide if you’ve just received an SSL certificate from a CA (Certificate Authority), if you’re migrating a site to a new Windows Server, or if you’ve renewed a certificate and your site is throwing an HTTPS error. This also applies if you’re running a Windows VPS or Dedicated Server and managing IIS yourself.

This article covers IIS 10 on Windows Server 2019 and 2022. The steps are nearly identical on both. IIS 8.5 on Server 2012 R2 follows the same general flow but some UI labels differ slightly.

Prerequisites

• Remote Desktop (RDP) access to the server with a local Administrator or Domain Admin account
• IIS 10 installed and at least one site already configured
• Your SSL certificate files — typically a .pfx file (which bundles the certificate and private key) or a separate .crt / .cer file plus the private key
• If your CA provided a .crt and a separate key file, you’ll need to combine them into a .pfx first — see the note below in Step 1
• The password used when the .pfx was exported (if applicable)
• DNS for your domain pointed at this server’s IP and propagated — HTTPS won’t work during testing if DNS is still resolving elsewhere

Step-by-Step Instructions

Step 1 — Prepare Your Certificate File

IIS imports certificates in .pfx format. If your CA sent you a .crt file and a separate private key, you need to merge them first using OpenSSL. If you already have a .pfx, skip to Step 2.

Run the following on any machine with OpenSSL installed (including Windows if you’ve installed Git Bash or OpenSSL for Windows):

openssl pkcs12 -export 
  -out certificate.pfx 
  -inkey private.key 
  -in certificate.crt 
  -certfile ca_bundle.crt

You’ll be prompted to set an export password. Don’t leave it blank — IIS will accept a blank password, but some CA bundles and intermediate chains won’t import cleanly without one, and you’ll get a partial chain that causes browser warnings later.

📝 Note: The ca_bundle.crt file contains the intermediate certificates your CA provided. Including it in the .pfx ensures IIS presents the full chain to browsers. If you skip it, Chrome and Firefox may show a trust error even though the certificate itself is valid.

Step 2 — Import the Certificate into Windows Certificate Store

1. Press Win + R, type mmc, and press Enter to open the Microsoft Management Console.
2. Go to File > Add/Remove Snap-in.
3. Select Certificates from the left list, click Add.
4. Choose Computer account when prompted, then Local computer. Click Finish, then OK.
5. In the left panel, expand Certificates (Local Computer) > Personal > Certificates.
6. Right-click the Certificates folder under Personal, then select All Tasks > Import.
7. Follow the wizard: browse to your .pfx file, enter the export password, and make sure Mark this key as exportable is checked if you might need to migrate this cert later.
8. Set the certificate store to Personal and complete the import.

⚠ Warning: Do not import into the Web Hosting store unless you specifically need SNI with a large number of certificates and know what you’re doing. Certificates imported there behave differently in the IIS binding UI and can cause the binding dropdown to show the cert as unavailable.

Step 3 — Bind the Certificate to Your IIS Site

1. Open IIS Manager — search for it in the Start menu or run inetmgr from Win + R.
2. In the left Connections panel, expand your server name, then expand Sites.
3. Click on the site you want to secure.
4. In the right Actions panel, click Bindings.
5. In the Site Bindings window, click Add.
6. Set the following:
   • Type: https
   • IP address: All Unassigned (or a specific IP if you’re hosting multiple sites on the same server with separate IPs)
   • Port: 443
   • Host name: Enter your domain name exactly — e.g. example.com. This enables SNI (Server Name Indication), which is required if multiple HTTPS sites share the same IP.
   • SSL certificate: Select the certificate you just imported from the dropdown
7. Check Require Server Name Indication if you’re on a shared IP. If this server hosts only one HTTPS site or has a dedicated IP, you can leave it unchecked.
8. Click OK, then Close.

📝 Note: If your certificate doesn’t appear in the SSL certificate dropdown, the import likely went into the wrong store. Go back to MMC and verify the cert is under Personal > Certificates, not Web Hosting or Trusted Root.

Step 4 — Force HTTPS with an HTTP Redirect (Recommended)

Binding to port 443 enables HTTPS but doesn’t automatically redirect HTTP traffic. You’ll need to add a redirect rule. The cleanest way is via the web.config file in your site’s root directory.

Open or create C:inetpubwwwrootYourSiteweb.config and add the following inside the <system.webServer> section:

<rewrite>
  <rules>
    <rule name="HTTP to HTTPS" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="^OFF$" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
  </rules>
</rewrite>

⚠ Warning: This requires the URL Rewrite module to be installed in IIS. If it’s not installed, this rule will throw a 500.19 error. Download it from the official Microsoft site or install it via Web Platform Installer.

Step 5 — Verify the Configuration

Open a browser and navigate to https://yourdomain.com. You should see the padlock icon. To check the full certificate chain and expiry from the command line:

# Run in PowerShell on the server
$req = [System.Net.HttpWebRequest]::Create("https://yourdomain.com")
$req.GetResponse() | Out-Null
$cert = $req.ServicePoint.Certificate
Write-Host "Issued to: $($cert.Subject)"
Write-Host "Expires: $($cert.GetExpirationDateString())"

You can also use an external tool like SSL Labs (ssllabs.com/ssltest) to verify chain completeness and check your TLS configuration grade.

Common Issues & Troubleshooting

Certificate doesn’t appear in the IIS binding dropdown

This almost always means the certificate was imported into the wrong store. IIS only shows certificates from Local Computer > Personal in the standard binding dropdown. Open MMC, confirm the cert location, and reimport if needed. Also check that the certificate has a private key associated — if you imported a .crt without the key, it’ll appear in the store but IIS won’t offer it for binding.

ERR_SSL_PROTOCOL_ERROR or “This site can’t provide a secure connection”

Usually caused by a binding that exists in IIS but points to no certificate, or a corrupted binding entry. Open a PowerShell prompt as Administrator and check the current SSL bindings at the HTTP.sys level:

netsh http show sslcert

If you see a binding for port 443 with a null or mismatched certificate hash, delete it and re-add via IIS Manager. Stale bindings from a previous certificate don’t always get cleaned up automatically.

Mixed content warnings after enabling HTTPS

The certificate and binding are fine, but the page is loading HTTP resources (images, scripts, stylesheets). This is an application-level issue, not an IIS issue. You’ll need to update hardcoded HTTP URLs in your application or CMS. For WordPress on IIS, updating the site URL in the database usually handles the majority of it.

500.19 error after adding web.config redirect rule

The URL Rewrite module isn’t installed. The web.config references a module IIS doesn’t recognise and returns a configuration error. Install URL Rewrite 2.1 from Microsoft’s download centre, then recycle the application pool. No server restart needed.

Certificate renewed but browser still shows old cert

After importing a renewed certificate, you have to update the binding manually. IIS doesn’t automatically swap to the new cert just because it has the same domain name. Go back to Site Bindings, edit the HTTPS binding, and reselect the certificate from the dropdown. The renewed cert and the old cert will both show up — check the expiry dates to make sure you’re selecting the right one.

FAQ