IIS Windows SSL Configuration

Secure your IIS server with SSL/TLS.

IIS (Internet Information Services) is Microsoft's web server for Windows Server. SSL configuration goes through IIS Manager and sometimes PowerShell.

This guide covers certificate installation and HTTPS configuration on IIS, whether for commercial certificates or Let's Encrypt.

We'll also see how to configure protocols and ciphers for optimal security.

IIS SSL Concepts

Key SSL elements on IIS:

  • Binding: association of a certificate to a site on port 443.
  • Certificate Store: the Windows store where certificates are kept.
  • MMC: Microsoft Management Console to manage certificates.
  • Schannel: Windows SSL/TLS provider configured via registry.

Windows Integration

SSL benefits on IIS:

  • AD Integration: certificates deployed via Group Policy.
  • Intuitive GUI: visual management via IIS Manager.
  • PowerShell: automation possible for deployments.
  • Microsoft support: documentation and enterprise support.

Certificate Installation

Steps to configure SSL on IIS:

  1. Get certificate: CSR via IIS or ready PFX certificate.
  2. Import into store: use MMC or IIS Manager.
  3. Create binding: associate the certificate to the website.
  4. Configure Schannel: disable old protocols.

PowerShell Configuration

Automation with PowerShell:

# Import a PFX certificate
$password = ConvertTo-SecureString -String "password" -Force -AsPlainText
Import-PfxCertificate -FilePath "C:\cert.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $password

# Create HTTPS binding
New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443 -HostHeader "example.com"

# Associate certificate to binding
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*example.com*"}
$binding = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$binding.AddSslCertificate($cert.Thumbprint, "My")

# Disable TLS 1.0 and 1.1 (reboot required)
New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 0

New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 0

Use IIS Crypto by Nartac to configure Schannel graphically.

IIS Best Practices

Tips for IIS SSL:

  • Use IIS Crypto: free tool to easily configure protocols and ciphers.
  • Disable TLS 1.0/1.1: via Schannel registry or IIS Crypto.
  • Enable HTTP/2: available in Windows Server 2016+.
  • HTTP redirect: use URL Rewrite to redirect to HTTPS.

IIS SSL Checklist

  • Certificate imported into store
  • HTTPS binding created
  • Certificate associated to binding
  • TLS 1.0/1.1 disabled
  • Modern ciphers configured
  • HTTP to HTTPS redirect

Frequently Asked Questions

How to generate a CSR on IIS?

IIS Manager > Server Certificates > Create Certificate Request.

I have a PEM file, not PFX?

Convert with openssl: openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

Certificate doesn't appear?

Verify it's in the "Personal" (My) store of the local machine.

How to use Let's Encrypt on IIS?

Use win-acme (wacs) for automation on Windows.

Schannel or group policy?

Schannel via registry or IIS Crypto for single server, GPO for mass deployment.

Do I need to reboot after Schannel changes?

Yes, Schannel modifications require a reboot to take effect.

Secure IIS

IIS offers a robust platform for secure web hosting with good Windows integration.

Monitor your certificate expiration with MoniTao to avoid service interruptions.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing