How to Install NDCHost (RapidSSL) Certificates on IIS7

When the certificate request (CSR) is made through our order form or through any other method that is not done on the destination server, the steps listed below need to be followed. The reason for this is that IIS7 will only allow the importation of full PKCS#12 certificate stores as opposed to the PEM format .crt/.key pair you will have once your certificate is generated.


To complete this process, you will need:

  • Access to the OpenSSL library and tools
  • Your generated certificate (certificate.crt)
  • Private key (private.key) from the signing request
  • The RapidSSL CA bundle from here (CA.crt)

There are OpenSSL libraries and tools available for Windows but for the purpose of this demonstration we will use a Linux server since the necessary tools are typically part of a default install.

Filenames used below are indicated in parenthesis above; change the filenames in the command below if your files are named differently.

Conversion and Installation

Once you have all the pre-requisites, converting to PKCS#12 format is quite simple. Run the following command to convert:

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile CA.crt

You will be asked for a password to encrypt the .pfx file, which is not necessary unless desired. You will need to make note of this if you do use one as it will be needed in the import process.

Once created, take the certificate.pfx file and upload it to the IIS7 server. Open the IIS Management Console, select the root server on the tree list, and under the IIS section click Server Certificates.

&direct |IIS7 Server Root

On the next screen under the Actions pane, select Import… and browse for your certificate.pfx file, and enter the password if necessary.

Once imported, select the website container for the SSL host you just installed (or create it if you have not yet). In the window that appears, select Bindings… under Edit Site on the right-hand pane.

In the pop-up, click Add, select “https” under Type, leave the default for IP Address and Port, and finally select the SSL host certificate you imported previously under SSL Certificate.

You should now be able to browse to and verify that your SSL certificate is working properly!