Ever get tired of paying for another certificate to use on a new server? Let me introduce you to Let’s Encrypt and show you how easy it is to install and maintain free, trusted certificates on your Windows machines.
How does Let’s Encrypt work?
First, a bit of background information. Let’s Encrypt is completely free and trusted by every major CA. Like other open projects, it is donor supported. Donors include Cisco, Google, Microsoft, and Mozilla.
When a certificate is issued, it is valid for just 90 days. And I know what you are thinking – “90 days, I’ll be replacing certificates all of the time!”
With Let’s Encrypt, the entire process – from requesting to renewal – is designed to be automated! Once setup, certificate management should be just another task that occurs in the background, automatically. Automation can be achieved a few ways. For a Windows machine, my preferred method is to use the Win Acme tool.
How to Use Win Acme with Let’s Encrypt
Originally, I used a PowerShell script to do this but found that the Win Acme tools were easier to use. The tools can be downloaded from here.
Once the .ZIP has been downloaded, extract it to a server needing a certificate. If you plan on using it on several severs, store it on a share and use Group Policy File Preferences to deploy it.
Next, ensure that the server is publicly accessible through HTTP by using the full name that you need a certificate for. Certificates have to be verified before being issued; verification using a DNS name for the host is one of the supported methods. In the screenshot, you can see that I have an HTTPS binding for letsencrypt.deployhappines.com on an IIS server. You would also want to make sure that the name is accessible over port 80. You can read about other validation methods here.
On the server, launch an elevated command prompt and run letsencrypt.exe /?
For a single IIS site, you would want to press N to create a new certificate and then 1. After pressing 1, you should see a list of sites available on your server. Because the server in this screenshot already had a certificate, I was not prompted to configure any notifications settings or accept the EULA.
Continue through the prompts until the certificate is installed. Win-acme should automatically load the certificate into the Web Hosting certificate store for the server and bind it in IIS. To see it immediately, you can restart your site in IIS. Additional options are available if you need to install a certificate for other server roles, such as Exchange or RDS.
Finally, you should see a new win-acme scheduled task in Task Scheduler. This task will automatically renew and replace your certificates when they are near expiration.
So, what do you think about Let’s Encrypt? Do you currently use it? Do you want to use it?
im safe to use the computer
Hi, Win Acme tools need framework 4.6.1 or later, exchange 2010 server don’t work with 4.6.x or later … 🙁
🙁
Have you looked at the Let’s Encrypt tool page to see if an alternative tool would work for you?
How would this work if you want to use this to secure internal devices like switches, etc? It won’t be able to verify unless you expose the internal device to the web?
I haven’t forgotten about this yet – putting together some information for a post.
Good writeup!
If you like GUI, we’ve been pleased with CertifyTheWeb to do LE autorenews for IIS.
I will have to play around with that tool! A GUI tool can be so nice sometimes!
Hello
Nice information thanks
Please consider that TLS-SNI-01 (verification only in HTTPS) have a retire plan please check here https://community.letsencrypt.org/t/your-let-s-encrypt-client-used-acme-tls-sni-01-which-one/82807 and other posts
Thanks for that information! I updated the validation section to clarify that.
My pleasure.