You are here: Sysadmins of the North » Windows Server » Install SSL/TLS certificates in Windows Server using PowerShell

Install SSL/TLS certificates in Windows Server using PowerShell

The following PowerShell snippet can be used to quickly install an SSL (or TLS) certificate in Windows Server. It assumes you have a PFX file and its password. The default location is Cert:\LocalMachine\My, to use for IIS websites.

In this script you have to adjust a few bits for every certificate you install, so use it as a base or starting point for your own scripting. After importing the certificate, it also changes the .FriendlyName visible in MMC and IIS Manager, doing so you always know exactly which certificate you need to select. Neat, right? >:-)

# Install SSL certificate in Windows with PowerShell
$certificatename = "CHANGEME.pfx"
$mypwd = Get-Credential -UserName "${certificatename} SSL cert" -Message 'Enter password below'

$params = @{
  FilePath = \\TSCLIENT\C\Users\Jan\SSL\${certificatename}
  CertStoreLocation = 'Cert:\LocalMachine\My'
  Password = $mypwd.Password
$cert = Import-PfxCertificate @params

# The following doesn't always work:
# $cert.FriendlyName = "${certificatename} 2024"

# Then use this instead
[string]$thumbprint = $cert.Thumbprint
(Get-ChildItem -Path Cert:\LocalMachine\My\${thumbprint}).FriendlyName = "${certificatename} 2024"Code language: PHP (php)

A couple of things happen here. First, I define a variable for my certificate name and secondly I use Get-Credential to store the certificate password into a variable. This way, the SSL/TLS certificate password is not stored in your PowerShell history file.

Thirdly, we define the certificate parameters. And as you can see by the FilePath value, I use a remote desktop \\TSCLIENT share to point to my local computer. Doing so allows me to have certificates stored at one location on my computer (because you know, clients always sent them by email), and use the RDP share to transfer the certificate to the server. At last we define the Certificate Store location (as displayed: Cert:\LocalMachine\My) and the password.

All this is fed to Import-PfxCertificate, which in its turn saves the object into $cert and this allows us to change its .FriendlyName property.

You can find more information about Import-PfxCertificate on Microsoft Learn.

Psst, did you know you can use certutil -v -dump certificatename.pfx to look up and verify an SSL certificate’s Common Name (Subject) and Subject Alternative Name (SAN)? Or use Get-PfxCertificate certificatename.pfx | Select-Object Subject,DnsNameList in PowerShell.

Show Your Support

donate with Paypal

If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ☕($10 USD or €10 EUR for example). And please share the love and help others make use of this website. Thank you very much! <3 ❤️

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top