Let’s Encrypt – Installing Free Trusted SSL Certificates on Windows Server Automatically
Ever get tired of paying for another certificate to use on a new server? Let me introduce you to Let’s Encrypt and show you how easy it is to install and maintain free, trusted certificates on your Windows machines.
How does Let’s Encrypt work?
First, a bit of background information. Let’s Encrypt is completely free and trusted by every major CA. Like other open projects, it is donor supported. Donors include Cisco, Google, Microsoft, and Mozilla.
When a certificate is issued, it is valid for just 90 days. And I know what you are thinking – “90 days, I’ll be replacing certificates all of the time!”
With Let’s Encrypt, the entire process – from requesting to renewal – is designed to be automated! Once setup, certificate management should be just another task that occurs in the background, automatically. Automation can be achieved a few ways. For a Windows machine, my preferred method is to use the Win Acme tool.
How to Use Win Acme with Let’s Encrypt
Originally, I used a PowerShell script to do this but found that the Win Acme tools were easier to use. The tools can be downloaded from here.
Once the .ZIP has been downloaded, extract it to a server needing a certificate. If you plan on using it on several severs, store it on a share and use Group Policy File Preferences to deploy it.
Next, ensure that the server is publicly accessible through HTTP by using the full name that you need a certificate for. Certificates have to be verified before being issued; verification using a DNS name for the host is one of the supported methods. In the screenshot, you can see that I have an HTTPS binding for letsencrypt.deployhappines.com on an IIS server. You would also want to make sure that the name is accessible over port 80. You can read about other validation methods here.
On the server, launch an elevated command prompt and run letsencrypt.exe /?
For a single IIS site, you would want to press N to create a new certificate and then 1. After pressing 1, you should see a list of sites available on your server. Because the server in this screenshot already had a certificate, I was not prompted to configure any notifications settings or accept the EULA.
Continue through the prompts until the certificate is installed. Win-acme should automatically load the certificate into the Web Hosting certificate store for the server and bind it in IIS. To see it immediately, you can restart your site in IIS. Additional options are available if you need to install a certificate for other server roles, such as Exchange or RDS.
Finally, you should see a new win-acme scheduled task in Task Scheduler. This task will automatically renew and replace your certificates when they are near expiration.
So, what do you think about Let’s Encrypt? Do you currently use it? Do you want to use it?