Installing an SSL Certificate from the Windows Command Line

Everything the Windows graphical tools do with SSL Certificates can be done from an elevated command prompt, which suits Server Core installations, automation scripts, and administrators who simply prefer the keyboard. Two built-in tools share the work, with certreq handling requests and completions while certutil manages the stores.

Creating the Request

The certreq tool reads its settings from a small INF file. Create one describing the Certificate Signing Request (CSR), with the Subject carrying your hostname as the Common Name (CN).

; request.inf
[NewRequest]
Subject = "CN=yourdomain.com"
KeyLength = 2048
KeyAlgorithm = RSA
MachineKeySet = TRUE
Exportable = TRUE
RequestType = PKCS10

Generate the request from an elevated prompt. The Private Key is created in the machine store at this moment and never leaves the server.

certreq -new request.inf yourdomain.csr

Submit the resulting file when placing your order and complete validation as normal. Learn About the Validation Procedure 🔗

Completing the Request

Download the issued SSL Certificate and the ca-bundle of Intermediate Certificates from the Certificate Authority (CA) once issuance completes. Both are available in the tracking system. View Our Tracking & SSL Management 🔗

Install the Intermediate Certificates into their store first, then accept the issued SSL Certificate, which pairs it with the waiting Private Key.

certutil -addstore CA yourdomain.ca-bundle

certreq -accept yourdomain.crt

An existing Personal Information Exchange (PFX) file from another server skips the request cycle entirely and imports in one command.

certutil -importpfx yourdomain.pfx

Confirming the Store Contents

List the machine personal store and confirm the new entry reports that it has a Private Key. The hash value shown beside the entry is the thumbprint needed for binding.

certutil -store My

Binding Without Internet Information Services

Servers running Internet Information Services (IIS) bind through IIS Manager or its scripting tools as normal. Services speaking HTTPS directly through the Windows HTTP stack, such as custom applications and several Microsoft roles, bind from the command line instead.

netsh http add sslcert ipport=0.0.0.0:443 certhash=AB12CD34EF56AB12CD34EF56AB12CD34EF56AB12 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

The certhash value is the thumbprint from the store listing with spaces removed, and the appid is any consistent GUID identifying the owning application.

With the binding accepted, the service is ready to confirm.

Verifying the Installation

Browse to the service over HTTPS and confirm the SSL Certificate details, then run an external scan to confirm the chain reaches fresh clients complete. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗

Troubleshooting Common Installation Problems

A certreq accept failure reporting no matching request means the issued SSL Certificate belongs to a different request than the one on this server, often because the request was regenerated after submission. A reissue against the current Certificate Signing Request (CSR) resolves it. Learn About Reissuing Your SSL Certificate 🔗

An entry in the store without a Private Key was imported with certutil -addstore instead of accepted with certreq, which installs the public half only. Remove the entry and run the accept command against the original file.

Chain warnings on strict clients mean the Intermediate Certificates were never added to the CA store. Run the addstore command and reconnect. Learn About Intermediate Certificates 🔗

Professional Installation Assistance

Command line installation rewards precision, and unfamiliar territory like HTTP stack bindings is where mistakes hide.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗