News 
Install ssl certificate on windows server a step by step guide — this guide walks you through securing your Windows Server with a trusted SSL certificate, from prep to testing, with practical steps, tips, and real-world notes.
Quick fact: SSL certificates encrypt traffic between your server and clients, helping protect data and build trust.
This guide is a practical, step-by-step walkthrough to install SSL certificates on Windows Server. You’ll see a mix of checklists, hands-on steps, and bite-sized explanations so you can follow along even if you’re not a heavy IT pro. We’ll cover common scenarios like IIS-managed sites, wildcard certificates, and EV certificates, plus troubleshooting tips that actually help.
What you’ll learn
- How to choose the right SSL type DV, OV, EV, wildcard for your needs
- How to generate a CSR Certificate Signing Request in IIS
- How to obtain and install a certificate from a CA Certificate Authority
- How to bind the certificate to your website in IIS
- How to test and troubleshoot certificate installation
- Best practices for renewals, revocation, and security hardening
Useful resources unlinked text
SSL basics – ssl.com
IIS certificate management – Microsoft Learn
Let’s Encrypt setup on Windows – letsencrypt.org
CSR generation guide – DigiCert
Certificate renewal reminders – your CA’s portal
- Understand SSL types and choose the right one
- Domain Validation DV: quickest, lowest cost, confirms domain control.
- Organization Validation OV: adds organization vetting, a bit more trust.
- Extended Validation EV: strongest trust signals in browsers, longer process.
- Wildcard certificates: cover all subdomains for a single domain e.g., *.example.com.
- Multi-domain certificates: cover several domains with one cert.
Tip: For most internal Windows Server scenarios, DV or OV is enough. If you run a public-facing site and want maximum trust indicators, consider EV or a wildcard if you have many subdomains.
- Prepare your environment
- Ensure your Windows Server is updated with the latest security patches.
- Confirm you have IIS Internet Information Services installed and running.
- Decide where to store your certificate files prefer a secure, access-controlled path, often C:\Certs or a PKI store.
- Have your CSR and private key ready if you already generated a CSR elsewhere.
- Generate a CSR in IIS Certificate Signing Request
- Open IIS Manager.
- In the left panel, select the server name.
- Open Server Certificates.
- Click Create Certificate Request.
- Fill in the Distinguished Name Properties Common name should be your domain, Organization, Organizational unit, City/Locality, State/Province, Country.
- Choose Cryptographic Service Provider and Bit Length the default 2048 bits is common; 4096 bits is stronger but may have compatibility considerations.
- Save the CSR to a file CSR.txt and keep the private key secure.
- Submit the CSR to your chosen Certificate Authority CA via their portal to obtain the certificate and chain/intermediates.
- Obtain and download the certificate from the CA
- After your CA validates your request, you’ll receive the certificate file often in .crt or .cer format and a bundle with intermediate certificates chain.
- Save the certificate files to a secure location on the server.
- If your CA provides a PFX/PKCS#12 bundle containing private key, you can import it directly; otherwise you’ll import the public cert and the CA chain separately.
- Install the certificate on Windows Server
Option A – Using IIS Manager simple for standard certs
- Open IIS Manager.
- In the left pane, click your server name.
- Open Server Certificates.
- Click Complete Certificate Request.
- Browse to the certificate file you received from the CA e.g., mydomain.crt.
- Provide a friendly name for the certificate e.g., “www.mydomain.com 2026-CA1″.
- Finish the wizard.
Option B – Import a PFX file if you have the private key included
- In IIS Manager > Server Certificates, click Import.
- Browse to the .pfx file, enter the password, and choose the certificate store Personal.
- Complete the import.
- Bind the certificate to your website
- In IIS Manager, expand Sites and select the site you want to secure e.g., Default Web Site.
- In the right-hand Actions panel, click Bindings.
- If there is no HTTPS binding, click Add. If there is, select it and click Edit.
- Type Type: https, IP address: All Unassigned or specific, Port: 443.
- From the SSL certificate dropdown, choose your newly installed certificate the friendly name you gave it may help you identify it.
- Click OK and close.
- Verify the installation
- Open a browser and navigate to https://yourdomain.com.
- Look for the lock icon in the address bar and click it to view certificate details.
- Confirm the certificate is issued to your domain and check the issuer and valid dates.
- Use online SSL checkers for a second opinion e.g., SSL Labs’ test, or run locally:
- PowerShell: Test-Path https://yourdomain.com
- OpenSSL: openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
Tip: If there’s a mixed content issue HTTP elements on an HTTPS page, fix those assets to load securely.
- Real-world tips for common scenarios
- Wildcard certificates: If you have many subdomains api.example.com, mail.example.com, a wildcard can save you time, but ensure you keep the private key secure and audit subdomains regularly.
- Internal sites: For internal Windows Server sites, you can still use DV certificates from public CA or internal enterprise CA. Your browser’s trust chain matters for internal clients.
- SNI vs IP-based bindings: If you host multiple SSL-enabled sites on the same IP, ensure the bindings use SNI Server Name Indication. IIS 8+ supports SNI; enable it when you bind.
- Security best practices after installation
- Keep your private keys secure; never share them publicly or accidentally store in web-accessible folders.
- Enforce modern TLS protocols and ciphers on IIS disable TLS 1.0/1.1 if possible; enable TLS 1.2 and TLS 1.3 where supported.
- Enable HTTP Strict Transport Security HSTS if you control both the domain and subdomains and clients can access them securely.
- Schedule certificate renewals with your CA before expiration to avoid outages most CAs offer alerts 1–2 months before expiry.
- Regularly review certificate inventories and revoke compromised certificates promptly.
- Troubleshooting common issues
- Certificate does not chain to a trusted root: Ensure you installed the full certificate chain, including intermediate certificates.
- Private key mismatch: If you see a mismatch error, you may have used a different CSR than the one the certificate was issued for; reissue with the correct CSR.
- Site loads but certificate shows as invalid: Check the domain name on the certificate; a common issue is a certificate for www.example.com but you’re visiting example.com.
- Binding errors in IIS: Ensure the certificate is present in the Personal store and that the binding specifies the correct certificate.
- Renewal workflow and automation optional
- Set up automated reminders a month before expiry.
- For large environments, consider using an enterprise CA or automation tools PowerShell scripts, ACME clients if you’re using Let’s Encrypt via Windows.
- Test renewals in a staging environment before applying to production.
- After renewal, repeat the bind and test steps to ensure seamless continuity.
- Quick-check checklist at-a-glance
- CSR generated and saved securely
- Certificate issued by a trusted CA
- Full certificate chain installed
- IIS binding configured for HTTPS
- Browser shows a valid certificate with green padlock
- TLS configurations updated to current best practices
- Renewal plan in place
- Multi-site and load-balanced setups advanced
- Centralized certificate store: For large environments, consider using a centralized certificate management strategy and a load balancer that terminates SSL.
- Shared bindings: If you use a load balancer, you may terminate SSL at the balancer and use HTTP from the balancer to IIS, but this reduces end-to-end encryption unless you use SSL between the balancer and IIS or re-encrypt at the IIS level.
- Cost and time expectations
- DV certificates can be issued within minutes for many CAs.
- OV and EV certificates take longer due to organization validation processes.
- Wildcard certificates may be slightly pricier than single-domain certs but save time if you have many subdomains.
- Common mistakes to avoid
- Skipping intermediate certificates in the chain.
- Using an expired certificate on a live site.
- Not updating TLS settings on the server after installation.
- Ignoring CAA records that restrict which CAs can issue for your domain.
Frequently asked questions
How do I know which SSL certificate type is right for me?
If you just need to secure a single domain, a DV certificate is usually fine. If you have multiple subdomains, a wildcard or multi-domain cert can save time. For bigger brands that want maximum trust in browsers, EV certificates are worth considering.
Can I install an SSL certificate on Windows Server without IIS?
Yes, but you’ll need to import the certificate into the Windows certificate store and configure the service to use it. IIS makes the process simpler for web apps, but other services like RDP or SQL can also use certificates.
What’s the difference between a CSR and a private key?
The CSR is a request you send to the CA containing your public key and identifying information. The private key is created at the same time as the CSR and must be kept safe; it is used to encrypt traffic and prove ownership of the certificate.
How often should I renew my SSL certificate?
Most certificates are valid for 1–2 years. It’s best to set reminders 30–60 days before expiration to avoid outages.
What is the difference between a certificate and a chain file?
The certificate is your site’s public key. The chain file contains intermediate certificates that link your certificate to a trusted root. Some providers send you both; others require you to assemble the chain yourself.
Do I need to restart the server after installing a certificate?
Usually, changes take effect without a full restart, but you may need to recycle the IIS worker process or restart the IIS service for the new certificate to bind properly.
How can I test my SSL installation?
Use browser checks by visiting your site and inspecting the certificate. Also run external tests like SSL Labs’ SSL Test to get a grade and chain verification.
Can Let’s Encrypt be used on Windows Server?
Yes, Let’s Encrypt can be used on Windows Server with the appropriate ACME client like win-acme. It’s a free DV certificate with automated renewal, suitable for many small to mid-size sites.
What should I do if my certificate shows as not trusted?
Ensure the certificate chain is complete, the certificate matches your domain, and that your server clock is accurate. If you’re using a self-signed or internal CA, browsers won’t trust it by default.
If you want more tailored steps for your exact server version Windows Server 2012/2016/2019/2022 or a walk-through for a specific CA, tell me your setup and I’ll tailor the guide with screenshots and commands.
Yes, you can install SSL certificate on Windows Server following this step-by-step guide. This article walks you through every phase—from generating a CSR to binding the certificate in IIS, plus troubleshooting, renewal, and best practices. You’ll see real-world tips, quick commands, and easy formats so you can reference the exact steps you need without getting overwhelmed. By the end, your site will load over https with a valid certificate, a proper chain, and a clean TLS configuration.
Useful at-a-glance summary
– Generate a CSR or import a PFX if you already have the private key
– Obtain an SSL certificate from a trusted CA DV/OV/EV
– Install the certificate in the Windows Certificate Store
– Bind the certificate to your IIS site on port 443
– Verify the certificate and security settings TLS, ciphers, chain
– Set up renewal reminders and automation where possible
Useful URLs and Resources:
– Microsoft IIS Documentation – learn.microsoft.com
– DigiCert SSL Certificate Services – digicert.com
– Let’s Encrypt – letsencrypt.org
– SSL Labs – ssllabs.com
– W3Techs HTTPS Adoption – w3techs.com
What is an SSL certificate and why it’s needed
An SSL certificate lets your website establish an encrypted connection with visitors’ browsers. When you enable HTTPS, all data between the browser and your server is encrypted, protecting login credentials, personal information, and any sensitive interactions. A valid certificate also signals trust to users and improves SEO signals, since search engines favor secure sites.
Key ideas you’ll use here:
– SSL/TLS certificates come in three main types: DV Domain Validation, OV Organization Validation, and EV Extended Validation. For most internal and public sites, DV is sufficient, but OV/EV give extra identity verification.
– A certificate relies on a public/private key pair. The private key stays on your server. the public key is shared with clients via the certificate.
– The certificate must be installed with its full chain including intermediate certificates so clients can verify trust up to a trusted root.
Prerequisites
Before you start, grab these items and verify they’re ready:
– Administrative access to the Windows Server running IIS.
– A domain name you control e.g., yourdomain.com and DNS pointing to the server.
– An SSL certificate file from a trusted CA DV/OV/EV or a PFX file that includes the certificate and private key.
– If you’re issuing a new CSR, access to IIS Manager for CSR generation.
– The IIS role installed and the website already configured at least one site bound to port 80.
Why this matters: skipping prerequisites leads to failed installations or broken chains.
Step 1: Generate CSR and private key if you don’t have a PFX
If you don’t already have a PFX, you’ll need to generate a CSR Certificate Signing Request and private key. In Windows Server, you can do this within IIS Manager. you’ll then submit the CSR to your chosen CA to obtain the certificate.
– Open IIS Manager.
– Click on your server in the left-hand tree.
– Open “Server Certificates.”
– Choose “Create Certificate Request” to start the CSR wizard.
– Fill out Distinguished Name data:
– Common Name: your domain e.g., www.yourdomain.com
– Organization, Organization Unit, City/L locality, State/Province, Country
– Choose a cryptographic provider typically RSA and a strong key length 2048 bits or higher. 4096 is common for extra security.
– Save the CSR to a file usually a .csr.
– Submit the CSR to your chosen CA and complete validation to obtain your certificate DV/OV/EV. You’ll typically receive a certificate file often .crt or .cer and possibly a certificate chain file intermediate certs.
If you already have a PFX a file that contains both the certificate and its private key, you can skip CSR generation and go straight to importing the PFX into Windows.
Tip: If you plan to use a multi-domain SAN certificate, request a SAN-enabled CSR or request a SAN certificate from the CA.
Step 2: Obtain the certificate and any intermediate certificates
– Submit the CSR to the CA you selected.
– Complete the domain validation DV or organization validation OV as required.
– Download the issued certificate file often named something like domainname.crt or domainname.cer and any intermediate certificate bundle intermediate CA certs.
– If you received a PFX from the CA, you’re ready to import. you can skip this step.
Important: Make sure you also have the intermediate certificates. Missing intermediates are the most common reason browsers show “Untrusted” or chain errors.
Step 3: Install the SSL certificate in Windows Server
There are two common paths: importing a PFX with the private key or completing an SSL certificate request using a .crt/.cer plus the private key generated earlier.
A. Import a PFX easy path, includes private key
– Copy the .pfx file to the server.
– Open MMC Microsoft Management Console and add the Certificates snap-in for Computer account.
– In the left pane, navigate to Personal -> Certificates.
– Right-click and choose All Tasks -> Import.
– Follow the wizard and select the .pfx file. Enter the password for the private key, and ensure you place the certificate in the Personal store.
– After import, you’ll see the certificate listed with its thumbprint. You’re ready to bind it in IIS.
B. Complete a certificate request CSR if you don’t have a PFX
– In IIS Manager → Server Certificates → Complete Certificate Request.
– Browse to the issued certificate file .crt/.cer from the CA and give the certificate a friendly name this name is for your own reference in IIS.
– The certificate will be placed into the Personal store and ready for binding.
C. Importing an intermediate certificate if needed
– In the same Certificates snap-in, you may need to import intermediate certificates into the Intermediate Certification Authorities store. The process is similar: Import → choose the intermediate file → place in Intermediate Certification Authorities.
Bold note: The goal is to ensure the full certificate chain is available to the server so clients can validate the trust path.
Step 4: Bind the certificate to your website in IIS
– In the left pane, expand Sites and select the site you want to secure e.g., Default Web Site or your site name.
– In the right pane, click Bindings.
– If you don’t have an https binding yet, click Add. If you have one, select it and click Edit.
– Set Type to https. For IP Address, you can either leave it as All Unassigned or choose a specific IP. Port should be 443 the standard HTTPS port.
– In the SSL certificate dropdown, choose the certificate you just installed the friendly name you set earlier will help identify it.
– Click OK, then Close.
Tip: If you’re hosting multiple sites on the same server, you can use host headers SNI to host multiple SSL certificates on a single IP address. Ensure your IIS version supports SNI IIS 8.0+ supports SNI. Check “Require Server Name Indication” in the binding options when you create the HTTPS binding.
Step 5: Test and verify your installation
Verification is critical to ensure a proper chain and correct hostname.
– Open a browser and navigate to https://yourdomain.com
– Look for the padlock icon in the address bar.
– Click the padlock to inspect certificate details validity period, issuer, and domain name.
– Use an online checker to validate the chain and config:
– SSL Labs’ SSL Test ssllabs.com/ssltest is the gold standard for a quick, comprehensive check.
– Run a simple command to confirm the binding:
– On the server, you can run netsh http show sslcert to list the certificate bindings.
Common issues you might see:
– “Your connection is not private” due to an incomplete chain.
– Mismatched host name between the certificate CN and the site URL.
– The site loads over HTTP automatically due to missing HTTPS binding or a redirect rule not in place yet.
If you see chain issues, install the intermediate certificates, restart IIS, and re-test.
Step 6: Optional but important: force TLS, disable old protocols, and enable HTTPS redirection
Security posture matters. After you have a working certificate, consider tightening TLS settings and redirecting all HTTP traffic to HTTPS.
– Disable older protocols like SSL 3.0 and TLS 1.0/1.1 in IIS and Windows Registry as appropriate for your environment. Prefer TLS 1.2 and TLS 1.3 where supported.
– Enable HTTP Strict Transport Security HSTS for supported clients in IIS via headers. Use this carefully. test on a staging domain first.
– Implement a redirect from http:// to https:// for all pages to ensure secure by default.
Practical note: If you’re using Let’s Encrypt with Win-ACME or similar tools for automatic renewal, many of these steps can be automated, including binding updates and redirect rules.
Step 7: Renewal and automation
Certificates expire. plan renewal ahead of time.
– DV/OV/EV certificates typically have a one-year or two-year validity depending on the CA policy. Most environments refresh annually.
– For automation on Windows:
– Use tools like Win-ACME for Let’s Encrypt to automatically obtain and renew certificates.
– Use a scheduled task to run renew commands and bound updates for IIS.
– When a renewal happens, you may need to re-import the certificate or update the PFX used by your site bindings.
– If you’re using a commercial CA with a PFX, you can automate the import and bind steps with a PowerShell script, then schedule it to run before expiration.
PowerShell tips optional
– Import a certificate from a PFX:
– $pwd = ConvertTo-SecureString -String “PFXPassword” -AsPlainText -Force
– Import-PfxCertificate -FilePath “C:\certs\yourcert.pfx” -Password $pwd -CertStoreLocation Cert:\LocalMachine\My
– Bind to an IIS site:
– You can set up HTTPs bindings via the WebAdministration module. for example:
– Import-Module WebAdministration
– New-WebBinding -Name “Default Web Site” -Protocol https -Port 443 -IPAddress “*” -HostHeader “yourdomain.com”
– Get-Item “IIS:\SslBindings\0.0.0.0!443” | Set-ItemProperty -Name sslFlags -Value 0
Note: For most admins, the GUI approach IIS Manager is simplest. PowerShell is a powerful ally for automation and repeatable deployments.
Best practices and quick tips
– Always install the full certificate chain intermediates on the server. Missing intermediates are the leading cause of trust failures.
– Verify the certificate’s common name CN matches the domain you’re serving you can also use Subject Alternative Names, SANs.
– Use strong ciphers and enable TLS 1.2 or newer. Disable outdated protocols.
– Rotate and back up certificates securely, and keep a copy of private keys in a secure, access-controlled location.
– Document which site uses which certificate, its expiration date, and where the certificate is stored.
– For multi-domain sites, consider SANs or multi-domain certificates to simplify management.
– Regularly test from outside your network via internet tools to ensure proper exposure and trust.
Table: Quick reference for common steps
| Step | Action | Key notes | Common pitfalls |
|—|—|—|—|
| 1 | Generate CSR / prepare PFX | Ensure domain matches. 2048+ bits | Using the wrong CSR for a different domain |
| 2 | Obtain certificate | Choose DV/OV/EV as needed. collect intermediate certs | Missing intermediate chain |
| 3 | Import certificate | Import into Personal store. ensure private key is present | Certificate cannot be used due to missing private key |
| 4 | Bind to site | IIS Manager → Bindings → https 443 | Wrong IP, wrong hostname, or missing binding |
| 5 | Verify | browser check. SSL Labs test | Mismatched CN or chain issues |
| 6 | Renew/Automate | Use Win-ACME or CA tools. renew before expiry | Renewal failures due to store path changes |
Common formatting and troubleshooting checklist
– If your site shows a lock with a red strike or a certificate chain error, re-check intermediate certificates and ensure the host name matches the certificate CN.
– If you moved a site to a new server, export the certificate with the private key PFX and import to the new server, then rebind.
– If you’re using multiple sites on one IP with SNI, ensure SNI is enabled on the bindings and each site uses the correct certificate.
Frequently Asked Questions
# What is a CSR, and why do I need one?
A CSR Certificate Signing Request is a block of encoded text containing your organization’s details and the domain name you want to secure. Creating a CSR generates a public key and a private key pair, and you send the CSR to a CA to obtain your SSL certificate. The CA uses the CSR to create a certificate that proves you control the domain.
# How do I generate a CSR in IIS?
In IIS Manager, go to your server, open “Server Certificates,” click “Create Certificate Request,” fill out the Distinguished Name fields, choose RSA with 2048+ bits, and save the CSR to a file. Submit that CSR to your CA to get the certificate.
# What’s the difference between DV, OV, and EV certificates?
– DV Domain Validation certs prove you control the domain, quick and affordable. ideal for blogs and small sites.
– OV Organization Validation certs verify your organization’s identity. they show more trust for visitors.
– EV Extended Validation certs require rigorous verification and display a green bar in some browsers. they offer the highest level of identity assurance.
# Do I need an intermediate certificate?
Yes. The intermediate certificates chain your server certificate to a trusted root CA. Missing intermediates cause “untrusted” warnings in browsers.
# How do I install an SSL certificate on Windows Server if I already have a PFX?
Import the PFX into the Computer Account’s Personal store via MMC, then bind the certificate to your site in IIS Manager. If the PFX is password-protected, supply the password during import.
# How can I fix a “certificate chain” error?
Install the missing intermediate certificates in the Intermediate Certification Authorities store, ensure the complete chain is presented to clients, and restart IIS or the server if needed.
# How do I verify that my certificate is properly installed?
Use your browser to inspect the certificate details and ensure the CN matches your domain. Then run an external check like SSL Labs’ SSL Test to confirm the chain and configuration.
# How often should I renew my SSL certificate?
Most certificates have a 1-year validity some providers offer 2 years. Plan renewals a few weeks before expiration to avoid service interruption, and consider automating renewal where possible.
# Can I use Let’s Encrypt certificates on Windows Server?
Yes, with tools like Win-ACME WACS. Let’s Encrypt provides free DV certificates, and the automation tooling makes renewal easy. This is a popular option for developers and small deployments.
# How do I enable TLS 1.2/1.3 and disable older protocols on Windows Server?
In your Windows Server and IIS settings, disable SSL 3.0, TLS 1.0, and TLS 1.1, and enable TLS 1.2 and TLS 1.3 where supported. Use registry settings or IIS configuration to enforce this, and test with SSL Labs after changes.
# How do I set up HSTS for my site on IIS?
HSTS is configured via a response header. Add a header like max-age=31536000. includeSubDomains. preload to your site’s HTTP response headers in IIS. Test thoroughly to ensure there are no inadvertent redirects or blocking of subdomains.
# How can I host multiple domains with one SSL certificate on Windows Server?
Use a SAN Subject Alternative Name certificate that covers all required domains, or use individual certificates for each site. For multi-domain environments, SAN certs simplify management and bindings.
# How do I migrate an existing certificate to a new server?
Export the certificate with its private key from the old server as a PFX file, transfer securely to the new server, import to the Personal store, and rebind in IIS. Verify the new server’s chain and site functionality.
# Is it possible to automate certificate renewal on Windows Server?
Absolutely. Use Let’s Encrypt with Win-ACME WACS or commercial CA APIs with PowerShell scripts. Automation typically handles renewal, re-issuance, and re-binding to IIS, minimizing downtime.
# What if my domain uses a CDN or load balancer in front of Windows Server?
Ensure the certificate covers the domain as seen by clients including the CDN’s hostname and that the TLS termination occurs at the intended point. You may bind certificates at the load balancer or at the Windows Server, depending on your architecture.
# What’s the difference between binding on port 443 and using a non-standard port?
Port 443 is the standard, widely supported HTTPS port. Non-standard ports can work but may require manual configuration in clients, and some corporate networks block non-standard HTTPS ports.
Important note on permissions and security
– Treat private keys as highly sensitive. Store them securely, restrict access, and rotate keys when needed.
– Regularly update the server with security patches, and monitor for TLS-related advisories.
– If you’re in a regulated environment, ensure your TLS configuration complies with your industry’s standards and internal policies.
If you’ve followed these steps, your Windows Server site will be serving content over HTTPS with a valid SSL certificate, a complete trust chain, and proper TLS configuration. Remember, certificate maintenance is ongoing—set reminders for renewals and consider automation where it makes sense for your setup. If you want to see a quick visual walkthrough, I’ve included the essential steps in the sections above so you can implement without hunting through long guides.
Sources:
Vpn をオフにする方法:デバイス別の完全ガイド(2025年版)Windows・Mac・iPhone・Android・ルーター対応ガイド
Softether vpnとは?無料・高機能vpnの仕組みと使い方を徹底解説!Softetherの特徴・設定方法・他VPNとの比較・セキュリティとパフォーマンスの最適化ガイド
Edge浏览器vpn: The ultimate guide to using a VPN with Edge浏览器, extensions, and best practices for Windows, Mac, and beyond How to write if condition in sql server lets decode the ifs and sqls 2026
Nordvpn no parcelamento guia completo para garantir seguranca online gastando menos