My Account | Contact Us | +33 1 76 23 10 11 |
FR FR
Back to site

SSL certificate on IIS

Install a TLS certificate on IIS, HTTPS binding, and renewal on a Windows VPS.

~12 min read Intermediate #windows #iis #ssl #tls #https

SSL certificate on IIS

IIS (Internet Information Services) hosts websites on Windows Server. To serve HTTPS, you must obtain a TLS certificate, import it into the Windows store, and create a binding on port 443.

Prerequisites

  • Windows VPS with IIS installed and a working HTTP site
  • Domain name pointing to the VPS public IP (A record)
  • Port 443/TCP open (Windows firewall + HolyCloud if applicable)
  • Administrator rights

Verify IIS and the site

Get-Service W3SVC
Get-Website
Get-WebBinding -Name 'Default Web Site'

Install the IIS role if needed:

Install-WindowsFeature Web-Server -IncludeManagementTools

Option A: Let's Encrypt certificate (win-acme)

win-acme (WACS) automates Let's Encrypt on IIS.

  1. Download the latest win-acme from the official repository.
  2. Extract to C:\Tools\win-acme\.
  3. Run wacs.exe as administrator.

Example command line (simplified non-interactive mode — adapt the site ID):

cd C:\Tools\win-acme
.\wacs.exe --target iis --siteid 1 --installation iis --accepttos --emailaddress [email protected]

The certificate is imported into Local Computer → Personal and the HTTPS binding is created.

Scheduled task: win-acme usually installs an automatic renewal task.

Option B: commercial or manual PFX certificate

If you have a .pfx file from a CA:

$Password = ConvertTo-SecureString -String 'MotDePasseExportPfx' -Force -AsPlainText
Import-PfxCertificate -FilePath 'C:\Certs\votredomaine.pfx' `
  -CertStoreLocation Cert:\LocalMachine\My -Password $Password

List the certificate (note the Thumbprint):

Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Subject -like '*votredomaine*' } |
  Format-List Subject, Thumbprint, NotAfter

Create the HTTPS binding in IIS

GUI: IIS Manager → Sites → your site → Bindings → Add:

  • Type: https
  • Port: 443
  • Host name: www.votredomaine.fr
  • SSL certificate: select the imported certificate

PowerShell:

$Thumb = 'A1B2C3D4E5F6...'   # replace with actual thumbprint
New-WebBinding -Name 'Default Web Site' -Protocol https -Port 443 `
  -HostHeader 'www.votredomaine.fr' -SslFlags 1

$Binding = Get-WebBinding -Name 'Default Web Site' -Protocol https -Port 443
$Binding.AddSslCertificate($Thumb, 'my')

HTTP → HTTPS redirect

Install the URL Rewrite module for IIS, then add a redirect rule in web.config at the site root:

<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Or via PowerShell (if URL Rewrite is installed) — prefer the GUI for the first time.

Modern TLS protocols

Disable SSL 2.0/3.0 and TLS 1.0/1.1 (IISCrypto or registry). Example PowerShell (TLS 1.2 client/server):

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name Enabled -Value 1
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name DisabledByDefault -Value 0

Restart IIS:

 iisreset

Test and diagnostics

Invoke-WebRequest -Uri 'https://www.votredomaine.fr' -UseBasicParsing | Select-Object StatusCode

From outside:

curl -vI https://www.votredomaine.fr
openssl s_client -connect www.votredomaine.fr:443 -servername www.votredomaine.fr </dev/null 2>/dev/null | openssl x509 -noout -dates

Renewal

| Source | Action |

|--------|--------|

| Let's Encrypt / win-acme | Check the scheduled task; run wacs.exe --renew |

| Commercial PFX | Import new PFX before NotAfter; update binding |

Troubleshooting

| Problem | Solution |

|----------|----------|

| ERR_CERT_COMMON_NAME_INVALID | Host header and certificate name must match |

| 443 unreachable | Firewall; netstat -an | findstr 443 |

| Incomplete chain | Import CA intermediate certificates |

| Redirect loop | Only one HTTPS rule (IIS + app) |

See also: Install IIS documentation on the same VPS.

Need help?

Open a HolyCloud ticket with the domain, certificate type (Let's Encrypt / commercial), and output of Get-Website / Get-WebBinding.