Generate CSR in IIS & Convert CER to PFX: Your Windows Server SSL Guide

Setting up SSL/TLS on a Windows Server running Internet Information Services (IIS) involves a specific workflow. It starts with using the built-in tools to generate CSR in IIS, which creates the request file you send to a Certificate Authority (CA). Once the CA issues your certificate (often as a .cer file), you’ll typically need to install it back into IIS and then potentially convert CER to PFX for backup or migrating the certificate and its vital private key.

This guide walks you through both processes step-by-step, ensuring you can easily request and manage your SSL certificates within the Windows Server environment.

Key Takeaways

• IIS for CSR: Windows IIS Manager provides a user-friendly interface to generate CSR requests directly on your server.
• Private Key Handling: When you generate CSR in IIS, Windows automatically creates a corresponding private key and keeps it pending in the background, associated with that request.
• CER File: The .cer (or .crt) file you receive from the CA is your public certificate but does not contain the private key.
• PFX Necessity: A PFX (.pfx or .p12) file bundles the public certificate, the private key, and often intermediate certificates into a single, password-protected file. You often need to convert CER to PFX for backups, migrating to other Windows servers, or for certain applications.
• Conversion Process: Converting CER to PFX after using IIS for CSR generation typically involves first completing the certificate request in IIS (which installs the CER and pairs it with the stored private key), and then using the MMC (Microsoft Management Console) to export the installed certificate with its private key into the PFX format.

Part 1: Step-by-Step: Generate CSR in IIS

Using IIS Manager is the most integrated way to start the certificate process on a Windows web server.

Steps:

1. Open IIS Manager:
   • Press Win + R, type inetmgr, and press Enter.
   • Alternatively, search for “Internet Information Services (IIS) Manager” from the Start menu.
2. Navigate to Server Certificates:
   • In the Connections pane on the left, click on your server’s hostname.
   • In the center pane (under the IIS section), double-click on Server Certificates.
3. Start the CSR Wizard:
   • In the Actions pane on the right, click on Create Certificate Request.... This launches the Request Certificate wizard.
4. Distinguished Name Properties:
   • Fill in the following fields accurately. This information is included in your CSR and will be validated by the CA.
     • Common Name (CN): Required. The fully qualified domain name (FQDN) that the certificate will secure (e.g., www.yourdomain.com, mail.yourdomain.com). This must match exactly what users type in their browser.
     • Organization (O): Required. Your legal company or organization name.
     • Organizational Unit (OU): Optional. Your department (e.g., IT, Web Security, Marketing).
     • City/locality (L): Required. The city where your organization is located.
     • State/province (S): Required. The state or province (spell out fully, no abbreviations).
     • Country/region (C): Required. Your two-letter ISO country code (e.g., US, GB, FR, CA).
   • Click Next.
5. Cryptographic Service Provider Properties:
   • Cryptographic service provider: Leave the default Microsoft RSA SChannel Cryptographic Provider unless you have a specific reason to change it.
   • Bit length: Select 2048 or higher from the dropdown. 2048 bits is the current industry standard minimum.^^[NIST SP 800-57 Part 1 Rev. 5 recommends RSA keys of at least 2048 bits for adequate security.]^^
   • Click Next.
6. File Name:
   • Click the ... button to browse to a location where you want to save the CSR file.
   • Enter a filename (e.g., yourdomain_csr.txt). Choose a location you can easily access, like your Desktop or a dedicated SSL folder.
   • Click Finish.

You have now successfully used IIS to generate your CSR! The file (e.g., yourdomain_csr.txt) contains the text block starting with -----BEGIN NEW CERTIFICATE REQUEST-----. You will copy and paste this entire block into the SSL certificate order form on the CA’s website (like SSLRepo).

Important: IIS has also generated a corresponding private key and stored it securely within the Windows system, associated with this pending request.

Part 2: Receiving and Installing Your Certificate (The .CER File)

After submitting your CSR and completing validation, the CA will issue your SSL certificate, usually via email or download. This is often provided as a .cer or .crt file. You may also receive intermediate certificate files (.ca-bundle).

You need to install this certificate back into IIS to pair it with the waiting private key:

1. Save Certificate Files: Save the .cer file and any intermediate .ca-bundle files provided by the CA onto your server.
2. Open IIS Manager and navigate back to Server Certificates.
3. Complete Request: In the Actions pane, click Complete Certificate Request....
4. Specify Certificate File:
   • Browse to the .cer file you received from the CA.
   • Enter a Friendly name. This is for your reference in IIS (e.g., yourdomain.com_SSL_2025). Choose a name that helps you identify the certificate easily.
   • Select a certificate store. Personal is usually the correct choice for web server certificates.
   • Click OK.

If successful, the certificate will now appear in the Server Certificates list, and it’s now paired with the private key generated earlier. You can proceed to bind this certificate to your website(s) in IIS.

(Note: If you received intermediate certificates, they often need to be installed separately using the MMC Certificates Snap-in under Intermediate Certification Authorities).

Part 3: How to Convert CER to PFX (Using the Installed Certificate)

Now that your .cer file is installed in IIS and paired with its private key, you can export both into a single, secure PFX file. This is done using the Microsoft Management Console (MMC), not directly within IIS Manager.

Steps:

1. Open MMC: Press Win + R, type mmc, press Enter, and click ‘Yes’ if prompted.
2. Add Certificates Snap-in:
   • File > Add/Remove Snap-in....
   • Select Certificates, click Add >.
   • Choose Computer account, click Next.
   • Select Local computer, click Finish, then OK.
3. Locate Your Installed Certificate:
   • Expand Certificates (Local Computer) > Personal > Certificates.
   • Find the certificate you just installed using the “Friendly name” you provided. You should see a small key icon next to it, indicating it has an associated private key.
4. Start Export:
   • Right-click the certificate > All Tasks > Export....
5. Certificate Export Wizard:
   • Click Next.
   • Select Yes, export the private key. This option MUST be available. If it’s greyed out, the private key isn’t associated correctly, wasn’t generated properly, or you’re not on the machine where the CSR was generated.
   • Click Next.
6. Choose Format:
   • Select Personal Information Exchange - PKCS #12 (.PFX).
   • Tick Include all certificates in the certification path if possible (recommended).
   • Tick Export all extended properties (optional but can be useful).
   • Do not tick Delete the private key if the export is successful unless you are absolutely sure.
   • Click Next.
7. Set Password:
   • Check the Password box.
   • Enter and confirm a strong password to protect the PFX file. Store this password securely! You’ll need it to import the PFX elsewhere.
   • Choose an encryption algorithm (AES256-SHA256 is a strong default).
   • Click Next.
8. Save the File:
   • Click Browse..., choose a secure location, and enter a filename (e.g., yourdomain_backup.pfx).
   • Click Save, then Next.
9. Finish: Click Finish. You should see a success message.

You now have a .pfx file containing your certificate and its private key, ready for backup or migration.

Wrapping It Up

Using IIS Manager to generate CSR on Windows streamlines the initial step of getting an SSL certificate for your website. After installing the issued .cer file back into IIS, you can easily convert CER to PFX (along with the essential private key) using the MMC Certificates snap-in. This PFX file serves as a vital backup and allows for easy migration to other Windows servers.

Remember to handle your private key and PFX files with extreme care. Once you’ve generated your CSR using IIS, visit SSLRepo to get your certificate from trusted CAs at competitive prices.

Frequently Asked Questions (FAQ)

Q1: Can I generate a CSR for multiple domains (SAN certificate) using IIS?
A: The standard IIS CSR wizard only allows entering one Common Name. To generate a CSR for multiple domains (Subject Alternative Names – SANs), you typically need to use the MMC Certificates snap-in method (Create Custom Request...) or PowerShell commands (New-SelfSignedCertificate with -DnsName parameter – though this creates a self-signed cert initially, the request part can be adapted) which offer more flexibility.

Q2: I generated the CSR in IIS, but when I try to export to PFX, the “Yes, export the private key” option is greyed out. What’s wrong?
A: This usually means the certificate installation (Complete Certificate Request...) didn’t correctly pair the certificate with the pending private key. This could happen if you tried to complete the request on a different server than where you generated the CSR, or if there was an issue during the process. You might need to remove the failed request/certificate and potentially re-generate the CSR and re-issue the certificate.

Q3: Do I need to install intermediate certificates before exporting to PFX?
A: It’s best practice to install any required intermediate certificates before exporting to PFX. Checking the box Include all certificates in the certification path if possible during the PFX export should bundle them, but ensuring they are installed first provides redundancy.

Q4: Can I directly convert a standalone .cer file to .pfx without IIS or MMC?
A: You can only create a PFX file if you have both the certificate (.cer) and its corresponding private key (.key). If you have these as separate files (less common in the pure IIS workflow), you could use a tool like OpenSSL with a command like: openssl pkcs12 -export -out your.pfx -inkey your.key -in your.cer. However, when generating the CSR via IIS, the private key isn’t typically saved as a separate .key file accessible to the user; it’s managed by Windows internally until exported via MMC.

Q5: Is the PFX file secure?
A: The PFX file itself is secured by the password you set during the export process. Use a strong, unique password and store the PFX file in a secure location, treating it as sensitively as you would the private key itself.