> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Install the certificate on the IIS server

> Import the CryptoHub-issued certificate and its CA chain on the IIS server, and bind the certificate to its CryptoHub-resident key.

The private key stays on the CryptoHub. After exporting the certificate from the CryptoHub (see [Create and export the key and certificate on the CryptoHub](/Integrations/CryptoHub/TLS_offloading/Microsoft_IIS/Create_the_key_and_certificate)), you install only the **public** certificate and its issuing CA chain on the IIS server, then bind the certificate to the CryptoHub key through the FXCL CNG provider.

## Install the certificates on the IIS server

<Steps>
  <Step>
    Import the **CA** certificate into the machine **Trusted Root Certification Authorities** store
    (and any intermediates into **Intermediate Certification Authorities**) so the chain is trusted:

    ```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
    Import-Certificate -FilePath C:\stage\ca.cer -CertStoreLocation Cert:\LocalMachine\Root
    ```
  </Step>

  <Step>
    Import the **leaf** (server) certificate into the machine **Personal** store:

    ```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
    Import-Certificate -FilePath C:\stage\iis_cert.cer -CertStoreLocation Cert:\LocalMachine\My
    ```

    <Check>
      The certificate appears in `certlm.msc` > **Personal** > **Certificates**. At this point it
      does **not** yet show an associated private key. The next step creates that association.
    </Check>
  </Step>

  <Step>
    Bind the installed certificate to its CryptoHub-resident key through the FXCL CNG provider. Use
    the certificate's serial number (visible in `certlm.msc` or through `Get-ChildItem
            Cert:\LocalMachine\My`):

    ```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
    certutil -f -csp "Futurex FXCL KMES CNG" -repairstore My "<CertificateSerialNumber>"
    ```

    <Check>
      The output should include `Signature test passed`, confirming the installed certificate is
      bound to the HSM-resident key through the Futurex provider, and `certlm.msc` now shows the
      certificate with an associated private key.
    </Check>
  </Step>

  <Step>
    Confirm the certificate resolves to the Futurex provider (not the Microsoft Software KSP):

    ```powershell expandable lines wrap title="PowerShell" theme={null} theme={null}
    $c = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.SerialNumber -eq "<CertificateSerialNumber>" }
    $c.HasPrivateKey
    [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($c).Key.Provider
    ```

    <Check>
      `HasPrivateKey` is `True` and the provider reports `Futurex FXCL KMES CNG`.
    </Check>
  </Step>
</Steps>
