Create a CSR, Submit to NameCheap, and Export a PFX File from IIS 10

Fluk3

This guide details how to:

  • Create a Certificate Signing Request (CSR) using IIS 10
  • Submit the CSR to NameCheap and complete DNS validation
  • Install the issued certificate
  • Export a .pfx file for application use

🧰 Prerequisites

  • Windows Server with IIS 10
  • Domain access to manage DNS (e.g., Afrihost)
  • NameCheap account with an SSL Certificate
  • Administrative rights on the server

✅ Step 1: Create the Certificate Signing Request (CSR)

  1. Open IIS Manager
  2. Select your server node (top-level in the left pane)
  3. Double-click Server Certificates
  4. On the right, click Create Certificate Request…
  5. Complete the wizard with your information:
    • Common Name: yourdomain.com or sub.yourdomain.com
    • Organization: Your company name
    • Organizational Unit: IT or Security
    • City/Locality, State, Country
  6. Choose Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
  7. Bit length: 2048
  8. Save the .req file to a secure location (e.g., C:\Certs\yourdomain.req)

✅ Step 2: Submit CSR to NameCheap

  1. Log into your NameCheap account
  2. Go to SSL Certificates > Manage > Reissue
  3. Paste the contents of your .req file or upload it
  4. Choose DNS (CNAME) validation
  5. NameCheap will show you the CNAME record to create

✅ Step 3: Add DNS CNAME Record (Afrihost or your DNS provider)

  1. Log in to your Client Zone
  2. Navigate to Domain > DNS Editor
  3. Add the CNAME as provided by NameCheap:
    • Host: e.g., _abcdef123456.yourdomain.com
    • Points to: e.g., some.hash.sectigo.com
  4. Wait 10–30 minutes for DNS propagation

✅ Step 4: Download the Certificate Files

Once validated, NameCheap will issue the certificate. You’ll typically get:

  • yourdomain.crt (your certificate)
  • yourdomain.ca-bundle (intermediate certificate chain)
  • yourdomain.p7b (optional format for Windows)

✅ Step 5: Install the Certificate on IIS

  1. Go back to IIS Manager > Server Certificates
  2. Click Complete Certificate Request…
  3. Select the yourdomain.crt file
  4. Set a friendly name (e.g., YourDomainSSL2025)
  5. Click OK

✅ Step 6: Export Certificate to PFX Format

  1. In IIS > Server Certificates, locate your installed certificate
  2. Right-click > Export
  3. Choose a path and filename (e.g., C:\Certs\yourdomain.pfx)
  4. Enter a strong password to protect the private key
  5. Click OK

You now have a .pfx file ready for use in applications (e.g., web servers, mail servers, API gateways).

🛠️ Troubleshooting

IssueCauseSolution
“No private key found”CSR created on different serverRecreate CSR on correct server and reissue certificate
IIS does not list certificate for exportIncomplete installation or mismatched CSREnsure the CSR used to issue the cert matches the server where it’s being installed

🔐 Security Notes

  • Never share your .pfx file without encryption or secure transfer
  • Store .pfx files in access-controlled folders
  • Rotate certificates before expiry (90 days before is best practice)

********************************************************

If you liked what you read Please Share.
I’d love it if you followed me on YouTube and Facebook.

Also, feel free to subscribe to my posts by email.
Donations for the site can be made here.
Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *