How to install Let's Encrypt Certificate on IIS?

What is Let's Encrypt

Let's Encrypt is a non-profit certificate authority that provides free X.509 security certificates for Transport Layer Security (TLS) encryption through an automated process, enabling secure and encrypted HTTPS connections for websites. Let's Encrypt aims to create a more secure and privacy-respecting Web by making it easy for any website to enable HTTPS. Here's a comprehensive breakdown of Let's Encrypt:

How Let's Encrypt Works

• Certificate Request: Website owners can request a certificate from Let's Encrypt using the ACME (Automated Certificate Management Environment) protocol.
• Domain Validation: Let's Encrypt verifies domain ownership through various methods, such as the DNS-01 challenge or HTTP-01 challenge, to ensure that the requesting entity has control over the domain.
• Certificate Issuance: Once domain ownership is validated, Let's Encrypt issues a signed certificate, enabling the website to use HTTPS.

Let's Encrypt's innovative approach has significantly impacted the internet's security landscape, promoting the widespread adoption of HTTPS and contributing to a safer and more private web browsing experience.

Certbot

Certbot is a free, open-source software tool that simplifies the process of obtaining and renewing SSL/TLS certificates from Let's Encrypt. It is designed to automate the certificate management process, making it easier for website owners to secure their websites with HTTPS. Here's a detailed overview of Certbot:

Steps to install Certbot

1. Download exe installer from https://github.com/certbot/certbot/releases/download/v2.9.0/certbot-beta-installer-win_amd64_signed.exe
2. Run the installer and follow the wizard. The installer will propose a default installation directory, C:\Program Files(x86), that can be customized.)
3. To start a shell for Certbot, select the Start menu, enter cmd (to run CMD.EXE) or powershell (to run PowerShell), and click on “Run as administrator” in the contextual menu that shows up above.
4. Run Certbot as a shell command.

Process to generate the certificate and private key

1. Run the command to start the process.

certbot certonly --standalone

2. Provide the email address for renewal and security notices.

3. Type in "Y" to agree to the T&C of Let's Encrypt.

4. You can opt-in or out of sharing your information for research purposes.

5. In the final step, we need to specify the domain for which the certificate has to be generated.

Now your certificate and private key are generated and saved.

To add this to the server, we need to generate a PFX (PKCS #12) format file, for which we need to install openssl.

Openssl

OpenSSL is an open-source software library that provides cryptographic functions and Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols for secure communication over computer networks such as the Internet. It offers a robust set of tools for secure data transmission, encryption, and certificate management.

Installing openssl on Windows

• Navigate to SLProweb: Visit the SLProweb OpenSSL downloads page.
• Choose between the Win32 or Win64 versions, depending on your system's architecture.
• Click on the link to download the OpenSSL installer.
• Execute the downloaded file and follow the installation wizard. Make sure to select the option to add OpenSSL to your system PATH if you want easy command-line access.
• Add OpenSSL to PATH: After installation, you need to add OpenSSL to your system's PATH variable:
  • Right-click on "This PC" or "My Computer" and select "Properties."
  • Go to "Advanced system settings" or "System Properties" > "Advanced."
  • Click on the "Environment Variables" button.
  • In the "System variables" section, find the "Path" variable and select it.
  • Click "Edit..."
  • Add the path to the OpenSSL bin directory (e.g., C:\Program Files\OpenSSL-Win64\bin) at the end of the list of paths. Separate multiple paths with semicolons.
  • Click "OK" to save the changes and close all the windows.

Generating PFX file

To generate the PFX file go to the folder that has the certificate and private key file. And open the command prompt from the folder.

Run the following command:

openssl pkcs12 -export -out yourdomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Replace yourdomain.pfx with the desired output file name and adjust the input file names accordingly.

Import the SSL Certificate in IIS

Now, open the IIS Manager and follow these steps:

• Select your server in the connections panel.
• Double-click on "Server Certificates."
• In the Actions pane, click "Import..."
• Browse to the location of your PFX file (or the converted certificate files if you skipped the conversion step).
• Enter the password if your PFX file is password-protected.
• Complete the import wizard to import the SSL certificate into IIS.

Bind the SSL Certificate to Your Website

Next, bind the SSL certificate to your website:

• In the IIS Manager, select your website.
• In the Actions pane, click on "Bindings..."
• Click "Add..." to add a new binding.
• Choose HTTPS as the type.
• Select the SSL certificate you imported earlier from the dropdown list.
• Enter the appropriate IP address and port (typically 443 for HTTPS).
• Click OK to save the binding.

Configure SSL Settings for Your Website

Ensure that SSL settings are configured correctly for your website:

• Select your website in the IIS Manager.
• Double-click on "SSL Settings."
• Check the box for "Require SSL" if you want to enforce HTTPS.
• Optionally, configure other SSL settings as needed.
• Click Apply in the Actions pane to save the changes.
• Finally, restart the IIS web server to apply the SSL configuration changes.

Conclusion

Hence, we generated and added a Let's Encrypt certificate to IIS.