How to use Let’s Encrypt certificates for Windows Servers by Bas Wijdenes

Let’s encrypt certificates on Windows Servers.

In this tutorial I explain how you can use Let’s Encrypt on Windows Servers.
You could use this for example for the new ‘Windows Admin Center’ or in ADFS.

Let’s encrypt is a fairly new website that let’s you use certificates for free.

From their website: “Let’s Encrypt is a free, automated, and open Certificate Authority.”

For more about Let’s Encrypt go here.


Managing multiple certificates in Windows on one Windows Server.

I always choose the management server as ‘management’ for all certificates. That way I always know that the key is on the management server. You can do the same with the let’s encrypt certificate for every windows role that’s using a website.

Make sure you have installed the Windows Role Web Server (IIS) on the management server. I assume that you as a system administrator know how to install a windows role. If this is not the case, I refer you to Technet.


Let’s install a “Let’s Encrypt” certificate on your Windows Server.

Add the website temporarily to IIS.

Go to start and open Internet Information Services (IIS) manager.

Double click on the Management server and open Sites.

Right click on Sites click on Add website.

See the screenshot for the other information.
Use as a website the website you want to use the certificate for. This is the same domain name that you probably installed on another server, this does not matter. The website on your management server does not go live.

I am using tst.bwb.cloud. I use this for Windows Admin Center in my developer tenant.


‘Download’ a certificate from Let’s Encrypt.

Now that the website is ‘live’ on the management server, we can continue to install the certificate.

Go to Github and download the .zip file that contains letsencrypt.exe.
The latest version is here:

https://github.com/PKISharp/win-acme/releases

Copy / paste the .zip to the management server, or the server of your choice.
Unpack the zip file.

Run the Letsencrypt.exe executable that is in the extracted folder.

Let's Encrypt on Windows Servers for Windows Admin Center, ADFS or IIS
Let’s Encrypt on Windows Servers for Windows Admin Center, ADFS or IIS.

A Command Prompt opens with different options.
Choose Create new certificate here by typing N and pressing Enter.

Then choose for Single binding or an IIS site.
You only need to type number 1 for this.

If everything went well, you should now see the IIS website you created earlier.
Choose the number for the IIS site that you have added. For me this is number 2.

Let’s encrypt will now do the rest.


Download the certificate from IIS.

Now we can go back to IIS.
Open IIS again and click on the management server.

Let's Encrypt on Windows Servers for Windows Admin Center, ADFS or IIS
Let’s Encrypt on Windows Servers for Windows Admin Center, ADFS or IIS.

Open the Server Certificates.

Here you can see all certificates installed on the management server.
You can now export and use these for the website that you have previously added to IIS.

Let's Encrypt on Windows Servers for Windows Admin Center, ADFS or IIS
Let’s Encrypt on Windows Servers for Windows Admin Center, ADFS or IIS.

Recap

As I mentioned at the beginning, you can use the certificate for different roles or applications such as Windows Admin Center, or ADFS, but also standard IIS websites.

Do you have questions or comments regarding this? Then let me know with a comment.


A little extra

This post contains PowerShell. Would you like to learn the basics better? I have created a new website to learn basic PowerShell in an ’emulator’ environment.
Click here to go learn Basic PowerShell.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work full-time as a Services Engineer. In my spare time I write about the error messages that I encounter during my work. Furthermore, I am currently occupied with Office 365, Azure infrastructure, and PowerShell for automating daily tasks.

3 thoughts on “How to use Let’s Encrypt certificates for Windows Servers by Bas Wijdenes”

  1. win-acme will create task for renewal its certs
    but i can’t export LE certificate with private key, prohibited in CA

  2. Hi Bas,

    Thanks for the article. How do you handle the renewal of certificates? Let’s Encrypt requires that certificates are renewed every 90 days (unless I am mistaken).

    Thanks!

    Jacob

Leave a Reply

Your email address will not be published. Required fields are marked *