How to install Let’s Encrypt Certificates with IIS on a Windows Server

In this article, we shall discuss how to install Let’s Encrypt Certificates with IIS on a Windows Server. Secure Sockets Layer (SSL) certificates allow domains to be secured with an SSL certificate. Transport Layer Security (TLS) is a deprecated predecessor of SSL. SSL are cryptographic protocols designed to secure digital communications traveling over insecure channels. Please see What are the components needed to create a certificate signing request, and how to export a certificate in PFX format in Windows.

A public key infrastructure or PKI establishes a digital trust hierarchy in which a central authority securely verifies the identity of objects. We commonly use PKI to certify users and computers. It functions by maintaining, distributing, validating, and revoking SSL/TLS certificates built from the public key of public/private key pairs.

See the following interesting guides on how to import a certificate into the Trusted Root and Personal file certificate store, and how to request a certificate signing request in Windows using Microsoft Management Console.

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Let’s Encrypt certificates are valid for 90 days, during which renewal can take place at any time.

Encrypt Certificates with IIS on a Windows Server

In this article, I will be as showing you how to install Let’s Encrypt SSL certificates on Windows servers running IIS Web Server. There are numerous ways to get Let’s Encrypt running on Windows.

Here are the two functional ACME clients for windows: Letsencrypt Win Simple client, and ACMESharp PowerShell module. Ensure you have some binding created in IIS, else this will fail. Binding a certificate to a website in IIS means that you are activating the installed digital certificate and associating it with a particular website, port, or IP Address.

Also, ensure you have a working DNS and the server name is resolvable. You can create a free record at ClouDNS.

Please download the latest Windows ACME Simple (WACS) ZIP file from Github. I will be downloading the following below.

Extract the downloaded zip file to any location of your choice as shown below

Click on OK.

Open the folder “C:\Users\Christian\Documents\win-acme.v2.1.16.1037.x64.trimmed” .

Right click on wacs.exe and select Run as Administrator to start the Windows ACME wizard.

Ensure, you have IIS bindings configured, else it will failed at this point. Select N to create a new certificate and hit Enter.

Select 1

To choose which website will be included or scanned for hostnames and press Enter.

Below are the binding found. I will be selecting A to include all bindings.

Please follow through the prompts. The rest steps are effortless.

Next, you will have to agree to the Terms of service and the Windows ACME Simple program takes care of the rest.

In the background Windows ACME Simple will configure your IIS site to use the newly received Let’s Encrypt certificate. You can verify this by looking at the site binding details.

In addition Windows ACME also adds a task to the Windows Task Scheduler that will automatically renew the Let’s Encrypt certiifcate.

I hope you found this blog post on how to Encrypt Certificates with IIS on a Windows Server helpful. If you have any questions, please let me know in the comment session.