Importing Certificates for IIS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: certbot certonly --standalone

It produced this output: cert.pem chain.pem fullchain.pem privkey.pem

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I can get as far as getting the pem files created but when I import the private key isn't attached.

I tried running:
openssl pkcs12 -export -out "certificate_combined.pfx" -inkey "privkey.pem" -in "cert.pem" -certfile bundle.pem

I tried this with and without an export password

This creates the combined file but when I try to import this into certificates it asks for the private key password. From what I understand this shouldn't have a password so I'm stuck.

I should probably add that this should be for a wildcard cert so during the creation I am putting * for the domain.

Hi @xbgt85 and welcome to the LE community forum :slight_smile:

Where did you get bundle.pem from?
And what made you chose certbot for Windows?

This was from a site on combining the files using openssl.

Try just:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_combined.pfx

That creates the files but I still have this invalid password for the private key.


openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_combined.pfx -password "Y0urP4ssw0rd"

That gives an error but I can run:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_combined.pfx -password pass:YourPassword

This completes but still it won't take the private key password when I import.

That is not the correct syntax.
From the --help:

Just don't provide the password and when it prompts, press enter (for a blank password). You can then open and import the PFX etc without being prompted.

For general IIS use the most popular client choices are win-acme and Certify The Web (the app I develop) because these have direct support for updating IIS bindings etc. You can also use Posh-ACME (powershell) and a few other tools. This list has other tools but it can be hard to find the good ones if you don't know them already: ACME Client Implementations - Let's Encrypt

If I try any of them I get:
Invalid password argument, missing ':' within the first 5 chars
Error getting passwords

I have tried to leave it blank but I run into the same issue where the private key has an import password.

I tried win-acme during troubleshooting and I run into the same issue as with cert bot where the auto deploy didn't work properly with the error timeout during connect.
I did the manual validation just to try to get a cert created by putting DNS records in and was able to make the certs but I still have the issue where it wants a private key password.

I went ahead and open some ports up and the auto generation applied properly now. So consider this resolved but it's not generating a wildcard like I had wanted.
Port 80 was blocked on the firewall on this IP for the auto generation to work.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.