Many enterprise clients provide SSL certificates in separate files - typically a .cer (public key) and .key (private key). IIS 7 expects certificates in the PKCS#12 format (.pfx), which contains both components. Here's how to bridge this gap.
- OpenSSL installed (available in Git Bash or Windows Subsystem for Linux)
- Both certificate files (
.cerand.key) - Administrative access to the IIS server
The most reliable method is combining the files using OpenSSL:
openssl pkcs12 -export -out combined.pfx -inkey private.key -in public.cer
You'll be prompted to:
1. Enter a password for the PFX file (required by IIS)
2. Verify the password
If you prefer GUI tools:
- Open MMC → Add Certificates snap-in
- Import the
.cerfile (don't select private key options) - Right-click the certificate → All Tasks → Export
- Choose "Yes, export the private key" and select PFX format
Once you have the .pfx:
Import-Module WebAdministration
$securePass = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText
Import-PfxCertificate -FilePath C:\path\to\combined.pfx -Password $securePass -CertStoreLocation Cert:\LocalMachine\My
Then bind it to your site through IIS Manager or PowerShell:
New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443 -SslFlags 1
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -match "yourdomain.com"}
New-Item -Path IIS:\SslBindings\0.0.0.0!443 -Value $cert
Check the binding worked:
Get-ChildItem -Path IIS:\SslBindings
Then test with OpenSSL:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
Common issues:
- Password errors: IIS requires PFX passwords, even if blank
- Permission issues: Run tools as Administrator
- Certificate chain: Intermediate CAs may need separate import
When working with IIS 7, you'll often need to import SSL certificates for HTTPS binding. A common challenge arises when the certificate is provided as two separate files: a public key (.cer) and a private key (.key). IIS typically expects these components to be combined into a single .pfx file for proper installation.
Before proceeding, ensure you have:
1. The public key file (extension .cer or .crt)
2. The private key file (extension .key)
3. OpenSSL installed on your system
4. Administrative access to the IIS server
The most reliable method involves using OpenSSL to combine the files:
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in public.cer
This command will prompt you to:
1. Enter an export password (remember this for IIS import)
2. Verify the export password
If OpenSSL isn't available, you can try this workaround:
1. Open IIS Manager 2. Navigate to Server Certificates 3. Click "Import" and select the .cer file 4. After import, right-click the certificate and select "Export" 5. This creates a .pfx file which you can then use for binding
After creating the .pfx file, verify its contents:
openssl pkcs12 -info -in certificate.pfx
Once you have the .pfx file:
1. Open IIS Manager 2. Select the target website 3. Click "Bindings" 4. Add HTTPS binding 5. Select the imported certificate from the dropdown 6. Specify hostname if needed 7. Click OK to save
If you encounter problems:
- Error "The specified network password is not correct": Ensure the export password matches during both OpenSSL creation and IIS import - Error "A specified logon session does not exist": Verify private key permissions and ensure it wasn't corrupted during transfer - Missing certificate in IIS binding dropdown: Confirm the certificate was properly imported to the machine store
Remember to:
- Secure the .pfx file with proper permissions
- Remove temporary .key files after conversion
- Consider using certificate stores for better management
- Document the export password for future reference