How to Create a Self-Signed Certificate for an IIS Website on Windows Server 2025 Print

Overview

This guide covers creating a self-signed certificate for an IIS website on Windows Server 2025 using both the IIS Manager GUI and PowerShell. It also covers binding the certificate to a site and optionally exporting it.

Method 1 - GUI (IIS Manager)

1. Open IIS Manager (run inetmgr)
2. In the Connections pane, click your server name
3. Double-click Server Certificates
4. In the Actions pane, click Create Self-Signed Certificate
5. Enter a friendly name (example: MySelfSignedCert)
6. Choose the Personal store and click OK
7. Bind the certificate to your site:
   • Expand Sites and select your site
   • Click Bindings
   • Add or edit an HTTPS binding
   • Select the certificate from the dropdown and click OK

Method 2 - PowerShell

Run all commands in an elevated PowerShell session.

Create the certificate:

$hostname = "example.local"
$cert = New-SelfSignedCertificate `
    -DnsName $hostname `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -FriendlyName "MySelfSignedCert" `
    -KeyLength 2048 `
    -HashAlgorithm sha256 `
    -KeyExportPolicy Exportable `
    -NotAfter (Get-Date).AddYears(1)

Create a certificate with multiple DNS names (optional):

$cert = New-SelfSignedCertificate `
    -DnsName "example.local","www.example.local","api.example.local" `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -FriendlyName "MySelfSignedCert SAN" `
    -KeyLength 2048 `
    -HashAlgorithm sha256 `
    -KeyExportPolicy Exportable `
    -NotAfter (Get-Date).AddYears(1)

Bind the certificate to an IIS site with SNI:

Import-Module WebAdministration
$siteName  = "MyNewSite"
$hostname  = "example.local"
$httpsPort = 443

# Ensure an https binding exists for the hostname
if (-not (Get-WebBinding -Name $siteName -Protocol "https" -ErrorAction SilentlyContinue | Where-Object { $_.bindingInformation -match ":$httpsPort:$hostname" })) {
    New-WebBinding -Name $siteName -Protocol "https" -Port $httpsPort -HostHeader $hostname | Out-Null
}

# Attach the certificate to the binding
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "MySelfSignedCert" } | Select-Object -First 1
$bindingPath = "IIS:\SslBindings.0.0.0!$httpsPort!$hostname"
if (-not (Test-Path $bindingPath)) {
    New-Item $bindingPath -Thumbprint $cert.Thumbprint -SSLFlags 1 | Out-Null
} else {
    Set-Item -Path $bindingPath -Thumbprint $cert.Thumbprint -SSLFlags 1
}

Export the certificate to PFX for client trust (optional):

$pwd  = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.FriendlyName -eq "MySelfSignedCert" } | Select-Object -First 1
Export-PfxCertificate -Cert $cert -FilePath "C:\Temp\MySelfSignedCert.pfx" -Password $pwd

Notes

• Self-signed certificates are suitable for labs and internal testing only - browsers will display a warning because they are not issued by a trusted CA
• For production environments, use a certificate from a trusted CA or an ACME automation tool such as Let's Encrypt
• To remove browser warnings on internal machines, distribute the certificate to Trusted Root Certification Authorities on client devices
• In Active Directory environments, use Group Policy to deploy certificate trust across all machines
• Always run PowerShell as Administrator when executing these scripts