SSL Certificate Manual for IIS 10
Create a CSR, complete the request, and export to .PFX on Windows Server (2016 / 2019 / 2022).
A complete walkthrough for requesting, completing, and exporting an SSL certificate entirely within IIS 10 — from generating the CSR to producing a portable .PFX bundle.
Overview
When IIS generates a CSR, the private key is stored securely inside the Windows Certificate Store — never as a separate file on disk. In practice this means:
- You don't need a separate
.keyfile when working entirely within IIS. - The CSR and its private key are linked internally by Windows.
- Completing the request in IIS automatically pairs the certificate with its private key, so you can export a full
.PFXbundle.
Never move or rebuild the server between creating the CSR and completing the certificate request. The private key lives only on the machine that generated the CSR — if it's gone, you must start over with a fresh CSR.
Prerequisites
- Windows Server with IIS 10 installed and running.
- Administrator rights on the server.
- A domain or wildcard name ready (e.g.
*.vogels.com). - Access to a Certificate Authority — Sectigo, DigiCert, GlobalSign, etc.
Step 1 — Create the CSR in IIS
Open IIS Manager
Press Win + R, type inetmgr, and press Enter.
Select the server node
In the left-hand Connections panel, click the top-level entry — your server name, not a site.
Open Server Certificates
In the centre panel (Features View), double-click Server Certificates.
Start the CSR wizard
In the right-hand Actions panel, click Create Certificate Request…
Fill in the Distinguished Name properties
| Field | Example |
|---|---|
| Common Name | *.vogels.com (wildcard) or www.vogels.com (single domain) |
| Organisation | Vogel's Holding B.V. |
| Organisational Unit | ICT Department |
| City / Locality | Eindhoven |
| State / Province | Noord-Brabant |
| Country / Region | NL |
Click Next.
Choose the Cryptographic Service Provider
- Provider: Microsoft RSA SChannel Cryptographic Provider
- Bit length:
2048minimum recommended — use4096for higher security
Click Next.
Save the CSR file
Choose a location and filename, e.g. C:\Certs\vogels_com.csr, then click Finish.
A plain-text .csr file is created and the matching private key is stored inside the Windows Certificate Store automatically. Do not delete it or move it to another machine.
Step 2 — Submit the CSR to your CA
Open the CSR
Open the .csr file in Notepad. It looks like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICyz...
-----END NEW CERTIFICATE REQUEST-----Copy the full contents
Copy everything, including the BEGIN and END lines.
Paste into your CA portal
Log in to your CA (Sectigo, DigiCert, etc.), paste the CSR into the provided field, and complete the order.
Download the issued certificate
After validation, the CA provides:
- A
.crtor.cerfile — your certificate. - A bundle or chain file — the intermediate certificates.
Save these on the same server that generated the CSR.
Step 3 — Complete the request in IIS
This step must be performed on the same server where the CSR was created. The private key in the Windows Certificate Store must match the certificate being installed.
Reopen Server Certificates
Open IIS Manager (inetmgr), click the server node, and double-click Server Certificates.
Complete the request
In the Actions panel, click Complete Certificate Request…
Fill in the dialog
| Field | Value |
|---|---|
| File name (.cer) | Browse to the .crt from the CA, e.g. wildcard_vogels_com.crt |
| Friendly name | A memorable label, e.g. wildcard.vogels.com 2026 |
| Certificate store | Personal |
Click OK.
Verify
The certificate should now appear in the Server Certificates list under the friendly name you entered. If you hit an error, see Troubleshooting.
Step 4 — Export as a .PFX file
A .PFX (PKCS#12) file bundles the certificate and private key into one portable file — use it to install the certificate on other servers, load balancers, Azure, or anything requiring a .PFX.
Open the Certificate Manager
Press Win + R, type certlm.msc, and press Enter.
Find your certificate
In the left panel, expand Personal → Certificates and locate the certificate by its friendly name.
Start the export
Right-click the certificate → All Tasks → Export…, then click Next.
Include the private key
Select Yes, export the private key, then click Next.
Choose the format
Select Personal Information Exchange – PKCS #12 (.PFX) and tick:
- Include all certificates in the certification path if possible
- Export all extended properties
Click Next.
Set a password
Tick Password, then enter and confirm a strong export password.
Keep this password safe — it's required to import the .PFX. Anyone with both the file and the password can impersonate your domain.
Save the file
Browse to a location and filename, e.g. D:\Certs\wildcard_vogels_com.pfx, then click Next → Finish.
The result is a .PFX file containing both the certificate and its private key.
Step 5 — Convert with OpenSSL (optional)
If another system needs separate .crt and .key files, extract them from the .PFX using OpenSSL Light on Windows. You'll be prompted for the export password from Step 4.
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crtopenssl pkcs12 -in certificate.pfx -nocerts -nodes -out private.keyopenssl pkcs12 -in certificate.pfx -nodes -out certificate.pemTroubleshooting
Important notes
A few things worth keeping in mind for the long run:
- Never move or rebuild the server between creating the CSR and completing the request — the private key will be lost.
- Store the
.PFXand its password securely (password manager or encrypted vault). - Wildcard certificates (
*.vogels.com) cover immediate subdomains but not the root domain (vogels.com) unless the CA includes it separately. - Certificate validity is typically one year — set a reminder 60–90 days before expiry to start renewal.
- When renewing, always generate a fresh CSR; don't reuse old ones.