Skip to content 
Installing IIS without unnecessary components
Via Server Manager: Add roles and features → Role-based → your server → Web Server (IIS).
Select the minimum for static and basic websites:
- Web Server → Common HTTP Features: Static Content, Default Document, HTTP Errors;
- Health and Diagnostics: HTTP Logging;
- Security: Request Filtering;
- Performance: Static Content Compression.
If you need ASP.NET, add Application Development (.NET Extensibility, ASP.NET, ISAPI).
PowerShell equivalent:
Install-WindowsFeature Web-Server, Web-Common-Http, Web-Default-Doc, Web-Http-Errors, `
Web-Http-Logging, Web-Filtering, Web-Stat-Compression -IncludeManagementTools
# If necessary:
# Install-WindowsFeature Web-Asp-Net45, Web-Net-Ext45, Web-ISAPI-Ext, Web-ISAPI-Filter Check http://localhost — the IIS start page should appear.
Generate a CSR (certificate request) directly in IIS
Open IIS Manager (InetMgr.exe) → select your server → Server Certificates.
In Actions, click Create Certificate Request…, fill in the Distinguished Name fields:
— Common Name — FQDN of the site (for example, example.ru or *.example.ru for wildcard);
— Organization/OU/City/State/Country — according to the requirements of the certification authority (CA).
Select a cryptographic provider and key length (Microsoft RSA SChannel and 2048+ bits are recommended).
Save the CSR to a file—it starts with —–BEGIN NEW CERTIFICATE REQUEST—–.
Send the CSR to your CA (commercial or corporate). If you are using AD CS, download the issued certificate from the CA web portal.
Alternative for testing: self-signed certificate via PowerShell New-SelfSignedCertificate. Suitable for test environments, but not for production sites.
Importing a certificate into IIS (CER/PFX) and format nuances
Return to Server Certificates and click Complete Certificate Request… — specify the issued CER.
If you have CRT + KEY, first convert to PFX (a combined container with a private key). The easiest way is to use openssl:
openssl pkcs12 -export -out target.pfx -inkey source.key -in source.crt Or temporarily convert CRT → CER (Base-64 X.509) directly in Windows via “Export”:
If you are importing PFX, it is best to do so via the Certificates (Local Computer) → Personal snap-in. Microsoft provides detailed instructions on importing and assigning a site certificate in its official documentation.
After Complete Certificate Request, the new certificate will appear in the list:
Bind HTTPS to the site (Bindings)
Go to Sites, select the site → Edit Bindings…
Add a binding:
- Type: https
- IP address: All unassigned (or specific)
- Port: 443
- Host name: Your site’s FQDN
- SSL certificate: Select the imported certificate
For multiple HTTPS sites on a single IP, enable SNI (Require Server Name Indication).
Restart the website (or the entire IIS).
Check in your browser: the lock and valid certificate for the domain.
It is useful to enable HTTP → HTTPS redirection (URL Rewrite) right away — there is a separate analysis in winitpro.
Open ports and test from the outside
Don’t forget to open 80/443 in the internal Windows firewall and the external firewall/ACL at the Windows VPS provider:
New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
New-NetFirewallRule -DisplayName "HTTPS (443)" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow Verification from the client machine:
Test-NetConnection example.ru -Port 80
Test-NetConnection example.ru -Port 443 TcpTestSucceeded: True — binding and availability confirmed.
Common errors and quick fixes
- Certificate not displayed in the Bindings drop-down list — imported to Current User instead of Local Computer → Personal, or without a private key. Import PFX to Local Computer.
- NET::ERR_CERT_COMMON_NAME_INVALID — CN/SAN does not match the domain in Host name; reissue to the correct FQDN.
- Only HTTP opens — no HTTPS binding or 443 is closed on the external firewall.
- Error when importing CRT — convert to CER or PFX (see above).
- Multiple sites on one IP — enable SNI in the binding and use different Host names.
Cheat sheet: IIS + website + HTTPS in a couple of minutes
# 1) Installing IIS with basic modules
Install-WindowsFeature Web-Server, Web-Common-Http, Web-Default-Doc, Web-Http-Errors, `
Web-Http-Logging, Web-Filtering, Web-Stat-Compression -IncludeManagementTools
# 2) Site catalog
New-Item -ItemType Directory -Path "D:\sites\example.ru\wwwroot" -Force | Out-Null
# 3) Website on HTTP
Import-Module WebAdministration
New-Website -Name "example.ru" -Port 80 -PhysicalPath "D:\sites\example.ru\wwwroot" -IPAddress "*" -HostHeader "example.ru"
# 4) Import certificate (example for PFX; specify your path/password)
# $pwd = ConvertTo-SecureString "PFXpassword" -AsPlainText -Force
# Import-PfxCertificate -FilePath "C:\certs\example.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $pwd
# $thumb = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*CN=example.ru*"}).Thumbprint
# 5) HTTPS binding (via netsh http)
# New-WebBinding -Name "example.ru" -Protocol https -Port 443 -HostHeader "example.ru"
# netsh http add sslcert hostnameport=example.ru:443 certhash=$thumb appid="{00112233-4455-6677-8899-AABBCCDDEEFF}"
# 6) Firewall
New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
New-NetFirewallRule -DisplayName "HTTPS (443)" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow
