Yes, it is possible to install an SSL certificate in Windows Server 2019 without the use of Internet Information Services (IIS). While IIS is the most common method for generating a Certificate Signing Request (CSR) and binding SSL certificates, many system administrators need SSL for other applications such as Microsoft Exchange, SQL Server, Remote Desktop Services (RDS), or third-party web servers like Apache, Nginx, or Tomcat. Once this occurs, you will be able to install and manage the SSL certificates using the Microsoft Management Console (MMC) or using PowerShell without the involvement of IIS.
In this blog, we will walk through everything you need to know about installing SSL certificates on Windows Server 2019 without IIS. You will also know the reasons why you need to use SSL, how to create and import your certificate, and how to do it step by step.
Why Install SSL Without IIS?
Most tutorials online explain SSL installation through IIS because it’s integrated into Windows Server. However, not all servers run IIS. For example:
- Remote Desktop Protocol (RDP): To allow the usage of RDS with SSL.
- Microsoft Exchange Server: To encrypt the mails.
- SQL Server: For encrypted database connections.
- Third-party web servers (Apache, Nginx, Node.js, etc.): Running on a Windows server but not under IIS.
Under these circumstances, IIS is not required, and administrators have to install and maintain SSL certificates by hand.
Before You Begin, Prerequisites
- SSL Certificate Files – Issued by a Certificate Authority (CA). Typically in .cer, .crt, or .pfx formats.
- Private Key (where necessary) – In the event that you created the CSR outside IIS, you will require the private key.
- Windows Server 2019 – Up to date and available.
- Admin Access – You need administrative rights to install certificates.
Ways to Install the SSL Without IIS
SSL certificates can be installed on Windows Server 2019 without IIS in two ways:
- With MMC (Microsoft Management Console).
- Using PowerShell
We will discuss each of these approaches one by one.
Method 1: Install SSL Certificate via MMC
The easiest way to install non-IIS-based SSL certificates is via the Microsoft Management Console (MMC).
Step-1: Open MMC
- Click on the Press Windows + R, mmc & press Enter.
- In MMC, click File → Add/Remove Snap-in.
Step-2: Click the Certificates Snap-in
- Select Certificates from the list and click Add.
- Select Computer Account, and select Local Computer.
- Click Finish, then OK.
Step-3: Import the SSL Certificate
- Under MMC, expand Certificates (Local Computer) Personal Certificates.
- Right-click Certificates, and then choose All Tasks, Import.
- The Certificate Import Wizard opens.
Step-4: Fill out the Import Wizard
- Select a file that contains an SSL certificate (.pfx or .cer).
- In the case of a .pfx file, write the password of the private key.
- Ensure that you have checked “Mark this key as exportable”.
- Place the certificate in the Personal store.
- Click Finish.
Step-5: Check the Certificate Installation
- The certificate of the SSL must now be found under Personal Certificates.
- You need to click twice to confirm its validity and make sure that the certificate chain is trusted.
By this time, the SSL certificate is in place and is set to be bound to any service like Exchange, RDS, or SQL Server.
Method 2: Install SSL Certificate via PowerShell
To the extent that this is not the property that the administrators seek and that automation is the sought feature, PowerShell could also be a simplistic way of importing and maintaining the certificates.
Step 1: Open PowerShell as Administrator
- Right-click Start → select Windows PowerShell (Admin).
Step 2: Import the SSL Certificate
Once you have a .pfx file, then the following command is used:
powershell Copy code $password = ConvertTo-SecureString -String "yourPFXpassword" -Force -AsPlainText Import-PfxCertificate -FilePath "C:\path\to\certificate.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $password
- Replace “yourPFXpassword” with your actual PFX password.
- Replace “C:\path\to\certificate.pfx” with your certificate path.
Step 3: Confirm Installation
To view the installed certificates, do the following:
powershell Copy code Get-ChildItem Cert:\LocalMachine\My
This lists all certificates in the Personal store.
Step 4: Bind the Certificate to a Service (Optional)
To bind the Remote Desktop to SSL, type:
powershell Copy code
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -match "yourdomain.com" }
Set-RDCertificate -Role RDS-Connection-Broker -Thumbprint $cert.Thumbprint
This uses the SSL certificate to protect Remote Desktop.
Application Binding of SSL Certificates
Once an SSL certificate has been installed, you have to bind it to the application or service. The most typical bindings are:
- Exchange Server – Use Exchange Admin Center (EAC) or PowerShell to configure the certificate on SMTP, IMAP, POP, and IIS services.
- SQL Server – Configure encryption under SQL Server Configuration Manager → SQL Server Network Configuration → Protocols → Certificates.
- Remote Desktop Services (RDS) – Remote Desktop Services Deployments Certificates Assigning SSL – Use Server Manager Remote Desktop Services Deployments Certificates.
- Third-party servers (Apache, Nginx, Tomcat, etc.) – Enable the use of SSL within the server configuration files of the respective servers by indicating the installed certificate.
Problem Solving General Problems
- Certificate Not Trusted – make sure to install intermediate certificates provided by your CA.
- Private Key Missing – You must import the .pfx file with the private key. .cer or .crt files will not work unless they are associated with the private key.
- Wrong Store Location – Always import into Local Computer → Personal store, not Current User.
- Binding Failure – Double-check the thumbprint and application-specific SSL settings.
Best Practices for SSL on Windows Server 2019
- Powerful keys (2048-bit or more) should always be used.
- Use SHA-256 certificates in preference to older algorithms.
- Have your SSL certificates renewed and updated.
- Backup your .pfx files securely in case of server migration.
- Periodically test configuration, using e.g., tools such as the SSL Labs.
Final Thoughts
Windows Server 2019 allows you to install an SSL certificate without IIS, and in some cases, it is necessary, depending on the application, beyond a traditional web hosting scenario. It is easy to import and manage the RDS, Exchange, SQL server, or third-party server SSL certificates using MMC or PowerShell.
It will provide you with a safe, encrypted tunnel that safeguards the sensitive information and gains the trust of your users with the appropriate certificate attached and bound.