Importing Certificates for IIS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: certbot certonly --standalone

It produced this output: cert.pem chain.pem fullchain.pem privkey.pem

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I can get as far as getting the pem files created but when I import the private key isn't attached.

I tried running:
openssl pkcs12 -export -out "certificate_combined.pfx" -inkey "privkey.pem" -in "cert.pem" -certfile bundle.pem

I tried this with and without an export password

This creates the combined file but when I try to import this into certificates it asks for the private key password. From what I understand this shouldn't have a password so I'm stuck.

I should probably add that this should be for a wildcard cert so during the creation I am putting * for the domain.

Hi @xbgt85 and welcome to the LE community forum :slight_smile:

Where did you get bundle.pem from?
And what made you chose certbot for Windows?

This was from a site on combining the files using openssl.

Try just:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_combined.pfx

That creates the files but I still have this invalid password for the private key.


openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_combined.pfx -password "Y0urP4ssw0rd"

That gives an error but I can run:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_combined.pfx -password pass:YourPassword

This completes but still it won't take the private key password when I import.

That is not the correct syntax.
From the --help:

Just don't provide the password and when it prompts, press enter (for a blank password). You can then open and import the PFX etc without being prompted.

For general IIS use the most popular client choices are win-acme and Certify The Web (the app I develop) because these have direct support for updating IIS bindings etc. You can also use Posh-ACME (powershell) and a few other tools. This list has other tools but it can be hard to find the good ones if you don't know them already: ACME Client Implementations - Let's Encrypt

If I try any of them I get:
Invalid password argument, missing ':' within the first 5 chars
Error getting passwords

I have tried to leave it blank but I run into the same issue where the private key has an import password.

I tried win-acme during troubleshooting and I run into the same issue as with cert bot where the auto deploy didn't work properly with the error timeout during connect.
I did the manual validation just to try to get a cert created by putting DNS records in and was able to make the certs but I still have the issue where it wants a private key password.

I went ahead and open some ports up and the auto generation applied properly now. So consider this resolved but it's not generating a wildcard like I had wanted.
Port 80 was blocked on the firewall on this IP for the auto generation to work.