Installing a Let’s Encrypt Free SSL Certificate on IIS in Windows Ser 2012 R2
An SSL certificate of a website allows to protect user data transferred over the network against man-in-the-middle ( attacks and provide data integrity. In this article we’ll describe the installation and binding of a free SSL certificate b Encrypt to an IIS site running on Windows Server 2012 R2.
A couple of words about Let’s Encrypt: it is a nonprofit certification center that allows to issue free SSL/TLS certific automatically using the API. Only certificates for domain validation that expire in 90 days are issued. It is not a prob to the integrated feature of automatic reissue of the certificate thus providing continuous protection.
The API interface to automatically issue the certificates is called Automated Certificate Management Environm
(ACME) API. There are 3 implementations of ACME API for Windows systems:- LetsEncrypt-Win-Simple is the command prompt utility for the interactive issue a SSL certificate and bin specific site on your IIS web server;
- Powershell ACMESharp module – is the PowerShell library with a number of commands to interact with L Encrypt servers using ACME API;
- Certify is the graphic utility to manage certificates interactively using ACME API (there is not a full set of fe yet, but the project is developing).
Suppose, we have a website in IIS running on Windows Server 2012 R2. Our task is to switch it to HTTPS mode by SSL certificate from Let’s Encrypt.
Download the latest release of the win-acme client from the official webpage on GitHub https://github.com/Lone-Coder/letsencrypt-win-simple (in my case it was v1.9.10.1).Extract it to the following directory on the server where IIS is installed:
c:inetpubletsencrypt
Open the command prompt with the administrator privileges, go to c:inetpubletsencrypt directory and run
letsencrypt.exe
.
The interactive wizard will start and prompt you to specify your email address to send the notifications about problems with the updates of the certificate. Then agree to the terms of use.
Than select that you need to create a new certificate (N: Create new certificate) and its type. In our example, we don’t need an option with multiple SANs, so it will be enough to select item 1. Single binding of an IIS site.
Then the utility displays the list of websites running in IIS and prompts you to select a site to issue the certificate for.
The next step is the domain validation. Several variants of validation are available: TLS, using a DNS entry or HTTP. The easiest variant is 4 [http-01] Create temporary application in IIS (recommended). In this case, a small application will be created on the web server, and with the help of this app Let’s Encrypt servers can perform domain validation.
Note. During the TLS/HTTP validation your site must be available from outside by its full DNS name over HTTP (80/TCP) and HTTPS (443/TCP) protocols.
After the validation, letsencrypt.exe will automatically send a request to generate a certificate, download it (all necessary files and the private key will be saved to the folder C:UsersAdministratorAppDataRoamingletsencrypt-win-simple) and bind it to the IIS website.
If there is an SSL certificate installed on the site, it will be replaced with a new one.
Also, a new task will be created in Windows Task Scheduler that will start daily to automatically check, issue and install a new certificate every 60 days.
You can start the reissue manually using this command:
LetsEncrypt --renew
It’s worth to note that Let’s Encrypt certificates are currently widely used on the sites of many large companies and they are trusted by all browsers. I hope that the free certification center Let’s Encrypt won’t share the destiny of WoSign and StartCom.