Installing a Password-Protected PFX TLS Certificate on IIS (Windows Server 2016 / 2022)

Cloudmersive Private Cloud terminates inbound HTTPS traffic on Windows Server 2016 and Windows Server 2022 using IIS when installing on virtual machine. If you have a TLS certificate in PFX/P12 format (with an import password), this guide walks through:

1. Importing the PFX into the correct Windows certificate store
2. Adding (or updating) an HTTPS binding in IIS so the site serves HTTPS

Applies to

• Cloudmersive Private Cloud deployments terminating traffic on:

  • Windows Server 2016 (IIS 10)
  • Windows Server 2022 (IIS 10)

• TLS certificate file format:

  • .pfx / .p12 containing the certificate and private key
  • Protected by a password

Prerequisites

Before you start, confirm you have:

• Local administrator access on the IIS server
• The PFX file (example: yourdomain.pfx)
• The PFX password
• The IIS site already created (or known site name)
• Port 443 allowed through any Windows Firewall rules / upstream network controls

Security note: A PFX contains your private key. Treat it like a secret:

• Transfer it securely
• Store it only as long as needed
• Delete it from disk after import (or move it to a secured location)

Step 1: Copy the PFX to the IIS server

Copy the .pfx file to the server using an approved secure method. A common approach is placing it temporarily in a protected folder such as:

• C:\Temp\certs\ (create the folder, restrict access to Administrators)

Avoid leaving certificates on desktop folders or shared network drives longer than necessary.

Step 2: Import the PFX certificate

You can import the PFX using IIS Manager.

Import using IIS Manager

1. Open IIS Manager

   • Press Win + R, type inetmgr, press Enter

2. In the left pane, click the server name (top-level node)

3. Double-click Server Certificates

4. In the right Actions pane, click Import…

5. In the Import dialog:

   • Certificate file: Browse to your .pfx

   • Password: Enter the PFX password

   • Certificate store: Select Personal

   • Allow this certificate to be exported:

     • Checked so that IIS can read the certificate

6. Click OK

7. Confirm the certificate now appears in the Server Certificates list

Certificate chain note (intermediates)

Most PFX bundles include intermediate certificates, but not always. If browsers show chain warnings after install:

• Ensure intermediate CA certificates are present under:
  Certificates (Local Computer) → Intermediate Certification Authorities → Certificates

If your CA provided separate intermediate .cer files, import those into the Intermediate Certification Authorities store.

Step 3: Add an HTTPS binding in IIS

Once the certificate is imported, you attach it to your site using an HTTPS binding.

1. Open IIS Manager (inetmgr)

2. Expand Sites

3. Click the site you want to secure (e.g., Default Web Site or your Cloudmersive site)

4. In the right Actions pane, click Bindings…

5. Click Add…

6. In the Add Site Binding dialog:

   • Type: https

   • IP address:

     • All Unassigned (common), or choose a specific IP if needed

   • Port: 443 (default)

   • Host name:

     • Leave blank if the site is the only HTTPS site on that IP:443
     • Enter a hostname (e.g., api.example.com) if using SNI / multiple sites

   • SSL certificate: Select the imported certificate from the dropdown

   • Require Server Name Indication (SNI):

     • Enable this if you are hosting multiple HTTPS sites on the same IP:443
     • Typically used when you set a Host name

7. Click OK

8. Click Close on the Site Bindings window

Multiple sites on one IP (SNI):
If you have more than one HTTPS site on the same server/IP/port, use:

• A unique Host name per site binding
• Require Server Name Indication (SNI) checked
  Otherwise, IIS may present the wrong certificate.

Step 4: Verify HTTPS is working

Browser verification

From a client machine, test:

• https://your-domain-or-hostname/

Confirm:

• The browser shows a valid lock icon
• The certificate subject/SAN matches the hostname
• No chain warnings

Common troubleshooting

The certificate does not appear in the IIS certificate dropdown

Most common causes:

• Imported into Current User store instead of Local Computer
• Imported without the private key

Fix:

• Re-import the PFX into Certificates (Local Computer) → Personal

HTTPS works but clients show “certificate not trusted” or chain errors

Cause:

• Missing intermediate certificates on the server

Fix:

• Import the intermediate CA certificate(s) into:
  Intermediate Certification Authorities (Local Computer)

You can’t import the PFX / password fails

Cause:

• Wrong password, corrupted PFX, or the file was altered during transfer

Fix:

• Re-download/re-export the PFX from the source
• Confirm password directly with the certificate issuer/export process

IIS shows the wrong certificate for the hostname

Cause:

• Multiple sites share IP:443 without proper SNI hostnames
• Binding hostnames not set correctly

Fix:

• Ensure each site has:

  • https binding with correct Host name
  • SNI enabled
  • Correct certificate selected

Operational tips

• If Cloudmersive Private Cloud is deployed across multiple IIS servers, install the certificate on each server that terminates HTTPS.

• Keep a renewal runbook:

  1. Import the new PFX
  2. Update the IIS binding to point to the new certificate
  3. Verify externally
  4. Remove (optional) expired certificates from the store