Skip to main content
Bind the installed certificate to the target site so IIS serves HTTPS with the HSM-backed key.
1
Select Start > Windows Administrative Tools > Internet Information Services (IIS) Manager.
2
In the Connections pane, expand the server node, expand Sites, and select the target site. In the Actions pane, select Bindings….
3
Select [ Add… ] (or select an existing https binding and [ Edit… ]) and configure:
  • Type: https
  • Port: 443
  • Host name: the site FQDN (matching a SAN entry in the certificate)
  • SSL certificate: select the certificate issued in the previous section
4
Select [ OK ], then [ Close ].
5
Restart IIS so the binding takes effect:
PowerShell

Bind from the command line (alternative)

You can also create the HTTPS binding from the command line with netsh instead of IIS Manager. This is useful for scripted or repeatable deployments.
1
Add the site binding in IIS, then map the certificate to the port with netsh. Use the certificate’s thumbprint (the certhash) and the site’s application ID (the appid, a GUID):
PowerShell
  • <CertificateThumbprint> is the certificate’s SHA-1 thumbprint with no spaces. Get it with Get-ChildItem Cert:\LocalMachine\My | Select-Object Subject, Thumbprint.
  • <SiteAppIdGuid> is any GUID that identifies the binding owner. For IIS, use the site’s application pool or a generated GUID ([guid]::NewGuid()); record it so you can remove the binding later.
  • certstorename=MY points netsh at the machine Personal store where you imported the certificate.
2
Confirm the binding:
PowerShell
The output lists your certificate hash and application ID for 0.0.0.0:443. Requests to the site over HTTPS are now served with the CryptoHub-backed key.
The netsh and IIS Manager paths are alternatives; use one or the other for a given binding. IIS Manager is the simpler choice for a single site, and netsh suits scripted deployments.