How to generate free TLS/SSL Certificate for Websites

For the users to use your web site, it is essential that they trust your web site. The first step in building this trust is by having a SSL enabled website. The users will look for look for lock icon infront of the website's URL in the browser. This will require you to buy a security certificate from certificate authority (CA).

Cost of security certificates vary depending on the certificate authority vendor. This cost can deter new website owners to not purchase the security certificate and then not enables their website with the security certificate.

Fortunately Let's Encrypt provides free security certificate to millions of websites. It is a CA that is mentioned in the official styudy guides of (ISC)2 as well. In this post, I will walk you through the process of obtaining a free SSL/TLS certificate for your domain from Let's Encrypt and deploy it in IIS in Windows Server.

Install Certbot Client

You will need to install Certbot ACME client application on your web server. Let's Encrypt documentation refers to this as installing the client application on the host. You can download the windows installer for Certbot ACME client from the following page.

Web Hosting Product on Windows

The page has all the instructions you will need to get started. After you have downloaded the installer, following the instructions provided by the installer. By default, the client will be installed in C:\Program Files folder.

Create TLS certificate

Launch command line on your webserver. Make sure that you launch the command line under Administrative privileges. To generate TLS certificate, Certbot will communicate with your web server over port 80. If you have IIS running on your windows server and hosting existing websites, there is no need to stop the webserver. As the documentation on the page suggests, you will use the following command.

    C:\Windows\System32> certbot certonly --webroot

After you execute above command, console will ask you to provide the information it will need to generate TLS certificate. Before you start the process, there is an important step that you will need to complete. During the process of generating TLS certificate, you will be required to provide hosting root location. What this means is that you must have created a website in IIS for the domain. I am going to use my test domain globalagrimarkets.com to illustrate the steps in this post. Create the website in IIS and copy a default file in the root folder. I have copied index.html file in the root folder. If you do not have a valid website running on port 80, generation of TLS will fail and you will need to start the process again.

The following shows you how the process failed when I tried to generate TLS certificate for the domain without first creating website in IIS.

    Please enter the domain name(s) you would like on your certificate (comma and/or
    space separated) (Enter 'c' to cancel): globalagrimarkets.com
    Requesting a certificate for globalagrimarkets.com
    Input the webroot for globalagrimarkets.com: (Enter 'c' to cancel): C:\MyWebsites\globalagrimarkets
    
    Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
      Domain: globalagrimarkets.com
      Type:   unauthorized
      Detail: xx.xx.xx.xx: Invalid response from http://globalagrimarkets.com/
                   .well-known/acme-challenge/Cy39kV6Qe-ZD5AX6S6N2zZR2EK9rWyxnI1hgjOnNxmY: 404
    
    Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot.
    Ensure that the listed domains serve their 
    content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
    
    Some challenges have failed.
    Ask for help or search for solutions at https://community.letsencrypt.org. 
    See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

If all the information provided is accurate and valid, a new certificate will be generated for the domain. By default the certificate files be copied in C:\Certbot\live\{domain} folder. Following information shows you successful generation of TLS certificate.

    C:\Windows\System32>certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): globalagrimarkets.com
Requesting a certificate for globalagrimarkets.com
Input the webroot for globalagrimarkets.com: (Enter 'c' to cancel): C:\MyWebsites\globalagrimarkets

Successfully received certificate.
Certificate is saved at: C:\Certbot\live\globalagrimarkets.com\fullchain.pem
Key is saved at:         C:\Certbot\live\globalagrimarkets.com\privkey.pem
This certificate expires on 2023-09-30.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Certificate Files

Goto C:\Certbot\live\{domain} folder. You will find following files in that folder.

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

There is README file in the folder. This file provides you information about all the files in the folder. Following is the content of README file from my server.

    This directory contains your keys and certificates.

`[cert name]/privkey.pem`  : the private key for your certificate.
`[cert name]/fullchain.pem`: the certificate file used in most server software.
`[cert name]/chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
`[cert name]/cert.pem`     : will break many server configurations, and should not be used
                 without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
         Certbot expects these files to remain in this location in order
         to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

As the instructions mention, do not move these files from this file. If you notice carefully, you will see that these files are ZERO size and are marked as symbol file type. What this means is that the files in the folder are just links to actual files that are stored at some other place. If you are curious about the actual certificate files, you can locate them in C:\Certbot\archive\{domain} folder. For all practical purposes, you shall work with files in C:\Certbot\live\{domain} folder only.

Generate PFX file

There is one last step that you will need to perform to install TLS certificate file generated by Let's Encrypt in IIS. You will need to create PFX file from the certificate files in C:\Certbot\live\{domain} folder. You may be wondering why this extra step. For sake of curiosity try to import PEM file in IIS. You will get an error complaining that file does not contain private key. You will need to combine the PEM files to generate PFX file that you can import in IIS.

Run the following command in your windows server.

    openssl pkcs12 -export 
      -out c:\development\globalagrimarkets_cert.pfx 
      -inkey "C:\Certbot\live\globalagrimarkets.com\privkey.pem" 
      -in "C:\Certbot\live\globalagrimarkets.com\cert.pem" 
      -certfile "C:\Certbot\live\globalagrimarkets.com\chain.pem" 
      -password pass:password123
  • -out: This parameter is location where PFX file be generated
  • -inkey: Location of file containing private key
  • -in: The filename to read certificates and private keys from
  • -certfile: A filename to read additional certificates from
  • -password pass:pass phrase source to decrypt any input private keys with

Successful execution of above command will generate a PFX file that you will export into IIS.

Deploy SSL/TLS in IIS

Now the final step of deploying the security certificate in IIS. In IIS manager, you can choose import option and provide location of PFX file. This will complete deployment of your free TLS/SSL certificate provided by Let's Encrypt.

Renew TLS/SSL

One of the common problems I have come across with TLS certificates is that people forget to renew the certificates. Certbot ACME agents takes care of this for you. It will automatically renew the certificates before the expiration date.

This is all that you will need to generate a free TLS/SSL certificate for websites hosted in IIS. You can verify all the above by visiting https://www.globalagrimarkets.com. You will find that site is secure and contains a valid TLS/SSL certificate issued by a CA.

Search

Social

Weather

25.7 °C / 78.3 °F

weather conditions Clear

Monthly Posts

Blog Tags