Install SSL/TLS certificates in Windows Server using PowerShell

The following PowerShell snippet can be used to quickly install an SSL (or TLS) certificate in Windows Server. It assumes you have a PFX file and its password. The default location is Cert:\LocalMachine\My, to use for IIS websites.
Published on Thursday, 10 August 2023

The following PowerShell snippet can be used to quickly install an SSL (or TLS) certificate in Windows Server. It assumes you have a PFX file and its password. The default location is Cert:\LocalMachine\My, to use for IIS websites.


In this script you have to adjust a few bits for every certificate you install, so use it as a base or starting point for your own scripting. After importing the certificate, it also changes the .FriendlyName visible in MMC and IIS Manager, doing so you always know exactly which certificate you need to select. Neat, right? >:-)

#
# Install SSL certificate in Windows with PowerShell
#
$certificatename = "CHANGEME.pfx"
$mypwd = Get-Credential -UserName "${certificatename} SSL cert" -Message 'Enter password below'
$params = @{
  FilePath = \\TSCLIENT\C\Users\Jan\SSL\${certificatename}
  CertStoreLocation = 'Cert:\LocalMachine\My'
  Password = $mypwd.Password
  }
  
$cert = Import-PfxCertificate @params
[string]$thumbprint = $cert.Thumbprint
(Get-ChildItem -Path Cert:\LocalMachine\My\${thumbprint}).FriendlyName = "${certificatename} 2024"

A couple of things happen here. First, I define a variable for my certificate name and secondly I use Get-Credential to store the certificate password into a variable. This way, the SSL/TLS certificate password is not stored in your PowerShell history file.

Thirdly, we define the certificate parameters. And as you can see by the FilePath value, I use a remote desktop \\TSCLIENT share to point to my local computer. Doing so allows me to have certificates stored at one location on my computer (because you know, clients always sent them by email), and use the RDP share to transfer the certificate to the server. At last we define the Certificate Store location (as displayed: Cert:\LocalMachine\My) and the password.

All this is fed to Import-PfxCertificate, which in its turn saves the object into $cert and this allows us to change its .FriendlyName property.

You can find more information about Import-PfxCertificate on Microsoft Learn and the code shown above is also available as a Gist: https://gist.github.com/Digiover/a2db4125efb069d62a8fedcd23212103.

Psst, did you know you can use certutil -v -dump certificate_name.pfx to look up and verify an SSL certificate's Common Name (Subject) and Subject Alternative Name (SAN)? Or in PowerShell, you can use:

Get-PfxCertificate certificate_name.pfx | Select-Object Subject,DnsNameList