Share via

Install a Server Certificate

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Web server certificates contain information about the server that allows the client to positively identify the server over a network before sharing sensitive information. This process is called authentication. If you use Secure Sockets Layer (SSL) to protect confidential information exchanged between the Web server and the client and you have exported the certificates from the source server to the target server, the server certificate needs to be installed on the Web server before you can assign the server certificate to Web sites for use with SSL


  • Credentials: Membership in the Administrators group on the local computer.

  • Tools: Certificates MMC snap-in.


As a security best practice, log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. At the command prompt, type **runas /user:**administrative_accountname mmc %systemroot%\system32\inetsrv\iis.msc.


To add the Certificates Snap-in to MMC

  1. In the Run dialog box, type mmc, and then click OK.

    The Microsoft Management Console appears.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list box, click Certificates, and then click Add.

  5. Click the Computer account option, and then click Next.

  6. Click the Local computer (the computer this console is running on) option, and then click Finish.

  7. Click Close, and then click OK.

To install a server certificate on a Web server

  1. In MMC, open the Certificates snap-in.

  2. In the console tree, click the logical store where you want to import the certificate.

    The default location of the logical store for certificates is on the Console Root in the Certificates (Local Computer)/ Personal/Certificates folder.

  3. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.


    You should only import certificates obtained from trusted sources. Importing an altered or unreliable certificate could compromise the security of any system component that uses the imported certificate.

  4. Click Next.

  5. Type the name of the file that contains the certificate to be imported, or click Browse and navigate to the file.

    Certificates can be stored in several different file formats. The most secure format is Public-Key Cryptography Standard (PKCS) #12, an encryption format that requires a password to encrypt the private key. It is recommended that you send certificates using this format for optimum security.

    If the certificate file is in a format other than PKCS #12, skip to step 8.

    If the certificate file is in the PKCS #12 format, do the following:

    • In the Password box, type the password used to encrypt the private key. You must have access to the password that was originally used to secure the file.

    • (Optional) If you want to be able to use strong private key protection, select the Enable strong private key protection check box, if available.

    • (Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box.

  6. Click Next.

  7. In the Certificate Store dialog box, do one of the following:

    • If the certificate should be automatically placed in a certificate store based on the type of certificate, select Automatically select the certificate store based on the type of certificate.

    • If you want to specify where the certificate is stored, select Place all certificates in the following store, click Browse, and select the certificate store to use.

  8. Click Next, and then click Finish.

The file from which you import certificates remains intact after you have completed importing the certificates. You can use Windows Explorer to delete the file if it is no longer needed.