IT Docs
Server

SSL Certificate Manual for IIS 10

Create a CSR, complete the request, and export to .PFX on Windows Server (2016 / 2019 / 2022).

A complete walkthrough for requesting, completing, and exporting an SSL certificate entirely within IIS 10 — from generating the CSR to producing a portable .PFX bundle.

Overview

When IIS generates a CSR, the private key is stored securely inside the Windows Certificate Store — never as a separate file on disk. In practice this means:

  • You don't need a separate .key file when working entirely within IIS.
  • The CSR and its private key are linked internally by Windows.
  • Completing the request in IIS automatically pairs the certificate with its private key, so you can export a full .PFX bundle.

Never move or rebuild the server between creating the CSR and completing the certificate request. The private key lives only on the machine that generated the CSR — if it's gone, you must start over with a fresh CSR.

Prerequisites

  • Windows Server with IIS 10 installed and running.
  • Administrator rights on the server.
  • A domain or wildcard name ready (e.g. *.vogels.com).
  • Access to a Certificate Authority — Sectigo, DigiCert, GlobalSign, etc.

Step 1 — Create the CSR in IIS

Open IIS Manager

Press Win + R, type inetmgr, and press Enter.

Select the server node

In the left-hand Connections panel, click the top-level entry — your server name, not a site.

Open Server Certificates

In the centre panel (Features View), double-click Server Certificates.

Start the CSR wizard

In the right-hand Actions panel, click Create Certificate Request…

Fill in the Distinguished Name properties

FieldExample
Common Name*.vogels.com (wildcard) or www.vogels.com (single domain)
OrganisationVogel's Holding B.V.
Organisational UnitICT Department
City / LocalityEindhoven
State / ProvinceNoord-Brabant
Country / RegionNL

Click Next.

Choose the Cryptographic Service Provider

  • Provider: Microsoft RSA SChannel Cryptographic Provider
  • Bit length: 2048 minimum recommended — use 4096 for higher security

Click Next.

Save the CSR file

Choose a location and filename, e.g. C:\Certs\vogels_com.csr, then click Finish.

A plain-text .csr file is created and the matching private key is stored inside the Windows Certificate Store automatically. Do not delete it or move it to another machine.

Step 2 — Submit the CSR to your CA

Open the CSR

Open the .csr file in Notepad. It looks like this:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICyz...
-----END NEW CERTIFICATE REQUEST-----

Copy the full contents

Copy everything, including the BEGIN and END lines.

Paste into your CA portal

Log in to your CA (Sectigo, DigiCert, etc.), paste the CSR into the provided field, and complete the order.

Download the issued certificate

After validation, the CA provides:

  • A .crt or .cer file — your certificate.
  • A bundle or chain file — the intermediate certificates.

Save these on the same server that generated the CSR.

Step 3 — Complete the request in IIS

This step must be performed on the same server where the CSR was created. The private key in the Windows Certificate Store must match the certificate being installed.

Reopen Server Certificates

Open IIS Manager (inetmgr), click the server node, and double-click Server Certificates.

Complete the request

In the Actions panel, click Complete Certificate Request…

Fill in the dialog

FieldValue
File name (.cer)Browse to the .crt from the CA, e.g. wildcard_vogels_com.crt
Friendly nameA memorable label, e.g. wildcard.vogels.com 2026
Certificate storePersonal

Click OK.

Verify

The certificate should now appear in the Server Certificates list under the friendly name you entered. If you hit an error, see Troubleshooting.

Step 4 — Export as a .PFX file

A .PFX (PKCS#12) file bundles the certificate and private key into one portable file — use it to install the certificate on other servers, load balancers, Azure, or anything requiring a .PFX.

Open the Certificate Manager

Press Win + R, type certlm.msc, and press Enter.

Find your certificate

In the left panel, expand Personal → Certificates and locate the certificate by its friendly name.

Start the export

Right-click the certificate → All Tasks → Export…, then click Next.

Include the private key

Select Yes, export the private key, then click Next.

Choose the format

Select Personal Information Exchange – PKCS #12 (.PFX) and tick:

  • Include all certificates in the certification path if possible
  • Export all extended properties

Click Next.

Set a password

Tick Password, then enter and confirm a strong export password.

Keep this password safe — it's required to import the .PFX. Anyone with both the file and the password can impersonate your domain.

Save the file

Browse to a location and filename, e.g. D:\Certs\wildcard_vogels_com.pfx, then click Next → Finish.

The result is a .PFX file containing both the certificate and its private key.

Step 5 — Convert with OpenSSL (optional)

If another system needs separate .crt and .key files, extract them from the .PFX using OpenSSL Light on Windows. You'll be prompted for the export password from Step 4.

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out private.key
openssl pkcs12 -in certificate.pfx -nodes -out certificate.pem

Troubleshooting

Important notes

A few things worth keeping in mind for the long run:

  • Never move or rebuild the server between creating the CSR and completing the request — the private key will be lost.
  • Store the .PFX and its password securely (password manager or encrypted vault).
  • Wildcard certificates (*.vogels.com) cover immediate subdomains but not the root domain (vogels.com) unless the CA includes it separately.
  • Certificate validity is typically one year — set a reminder 60–90 days before expiry to start renewal.
  • When renewing, always generate a fresh CSR; don't reuse old ones.

On this page