Many Windows server administrators encounter this frustrating scenario: You've successfully imported an SSL certificate through the MMC console, completed all the wizards, and everything appears fine—until you refresh the IIS manager or navigate away. The certificate simply disappears from the binding dropdown, leaving you scratching your head.

Understanding Windows certificate storage is crucial. IIS primarily works with these stores:

Cert:\LocalMachine\My         # Personal certificates (most common for IIS)
Cert:\LocalMachine\WebHosting # Special store for IIS-hosted sites
Cert:\LocalMachine\Root       # Trusted root certificates

• Incorrect store selection during import (must be "Personal" or "Web Hosting")
• Missing private key permissions for IIS application pool identity
• Certificate chain issues where intermediate CAs aren't properly installed
• Cryptographic Service Provider (CSP) compatibility problems

Verify proper store placement:

# PowerShell command to list all certificates in Personal store
Get-ChildItem -Path Cert:\LocalMachine\My | Format-List Subject,Thumbprint,HasPrivateKey

Fix private key permissions:

# Grant IIS AppPool identity access to private key
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq "YOUR_THUMBPRINT"}
$keyPath = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$fullPath = "$env:ProgramData\Microsoft\Crypto\RSA\MachineKeys\$keyPath"
icacls $fullPath /grant "IIS AppPool\DefaultAppPool":RX

Sometimes bypassing the GUI solves the problem:

Import-PfxCertificate -FilePath "C:\path\to\cert.pfx" 
  -CertStoreLocation Cert:\LocalMachine\My 
  -Password (ConvertTo-SecureString -String "yourPassword" -AsPlainText -Force)

If certificates still won't stick, try resetting the entire certificate subsystem:

net stop cryptsvc
del /q /f "%ProgramData%\Microsoft\Crypto\RSA\MachineKeys\*"
net start cryptsvc

Cross-check certificate visibility using:

• MMC Certificates snap-in
• PowerShell Get-ChildItem cmdlet
• certmgr.msc console
• IIS Manager itself

If you've successfully imported an SSL certificate through the MMC snap-in but find it disappears when switching IIS views, you're not alone. This behavior typically occurs when there's a mismatch between the certificate store locations and IIS permissions.

IIS requires certificates to be in specific stores to persist properly:

Certificates should be placed in either:
- Personal store (MY) of the Computer account
- Web Hosting store (created by IIS)

First, verify the certificate exists in the correct store using PowerShell:

# Check certificate in Personal store
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*yourdomain.com*"}

# Check Web Hosting store (specific to IIS)
Get-ChildItem -Path Cert:\LocalMachine\WebHosting | Where-Object {$_.Subject -like "*yourdomain.com*"}

1. Store Location Mismatch: During import, ensure you select "Local Machine" as the store location, not "Current User".

2. Missing Private Key Permissions: Run this command to verify:

certutil -store My | findstr /i "yourdomain"

3. IIS Configuration Cache: Reset IIS and clear configuration cache:

iisreset /stop
del /q /f %windir%\system32\inetsrv\config\applicationHost.config.bak
iisreset /start

If basic troubleshooting fails, try recreating the certificate binding programmatically:

Import-Module WebAdministration
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -eq "CN=yoursite.com"}
New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443 -SslFlags 1
$binding = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$binding.AddSslCertificate($cert.GetCertHashString(), "My")

Always use the IIS Manager for certificate operations when possible. The recommended workflow:

1. Generate Certificate Signing Request (CSR) through IIS
2. Complete the certificate request in IIS
3. Bind the certificate to your site within IIS Manager