For the users to use your web site, it is essential that they trust your web site. The first step in building this trust is by having a SSL enabled website. The users will look for look for lock icon infront of the website's URL in the browser. This will require you to buy a security certificate from certificate authority (CA).
Cost of security certificates vary depending on the certificate authority vendor. This cost can deter new website owners to not purchase the security certificate and then not enables their website with the security certificate.
Fortunately Let's Encrypt provides free security certificate to millions of websites. It is a CA that is mentioned in the official styudy guides of (ISC)2 as well. In this post, I will walk you through the process of obtaining a free SSL/TLS certificate for your domain from Let's Encrypt and deploy it in IIS in Windows Server.
You will need to install Certbot ACME client application on your web server. Let's Encrypt documentation refers to this as installing the client application on the host. You can download the windows installer for Certbot ACME client from the following page.
Web Hosting Product on WindowsThe page has all the instructions you will need to get started. After you have downloaded the installer, following the instructions provided by the installer. By default, the client will be installed in C:\Program Files folder.
Launch command line on your webserver. Make sure that you launch the command line under Administrative privileges. To generate TLS certificate, Certbot will communicate with your web server over port 80. If you have IIS running on your windows server and hosting existing websites, there is no need to stop the webserver. As the documentation on the page suggests, you will use the following command.
C:\Windows\System32> certbot certonly --webroot
After you execute above command, console will ask you to provide the information it will need to generate TLS certificate. Before you start the process, there is an important step that you will need to complete. During the process of generating TLS certificate, you will be required to provide hosting root location. What this means is that you must have created a website in IIS for the domain. I am going to use my test domain globalagrimarkets.com to illustrate the steps in this post. Create the website in IIS and copy a default file in the root folder. I have copied index.html file in the root folder. If you do not have a valid website running on port 80, generation of TLS will fail and you will need to start the process again.
The following shows you how the process failed when I tried to generate TLS certificate for the domain without first creating website in IIS.
Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): globalagrimarkets.com Requesting a certificate for globalagrimarkets.com Input the webroot for globalagrimarkets.com: (Enter 'c' to cancel): C:\MyWebsites\globalagrimarkets Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: globalagrimarkets.com Type: unauthorized Detail: xx.xx.xx.xx: Invalid response from http://globalagrimarkets.com/ .well-known/acme-challenge/Cy39kV6Qe-ZD5AX6S6N2zZR2EK9rWyxnI1hgjOnNxmY: 404 Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.
If all the information provided is accurate and valid, a new certificate will be generated for the domain. By default the certificate files be copied in C:\Certbot\live\{domain} folder. Following information shows you successful generation of TLS certificate.
C:\Windows\System32>certbot certonly --webroot Saving debug log to C:\Certbot\log\letsencrypt.log Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): globalagrimarkets.com Requesting a certificate for globalagrimarkets.com Input the webroot for globalagrimarkets.com: (Enter 'c' to cancel): C:\MyWebsites\globalagrimarkets Successfully received certificate. Certificate is saved at: C:\Certbot\live\globalagrimarkets.com\fullchain.pem Key is saved at: C:\Certbot\live\globalagrimarkets.com\privkey.pem This certificate expires on 2023-09-30. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background.
Goto C:\Certbot\live\{domain} folder. You will find following files in that folder.
There is README file in the folder. This file provides you information about all the files in the folder. Following is the content of README file from my server.
This directory contains your keys and certificates. `[cert name]/privkey.pem` : the private key for your certificate. `[cert name]/fullchain.pem`: the certificate file used in most server software. `[cert name]/chain.pem` : used for OCSP stapling in Nginx >=1.3.7. `[cert name]/cert.pem` : will break many server configurations, and should not be used without reading further documentation (see link below). WARNING: DO NOT MOVE OR RENAME THESE FILES! Certbot expects these files to remain in this location in order to function properly! We recommend not moving these files. For more information, see the Certbot User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
As the instructions mention, do not move these files from this file. If you notice carefully, you will see that these files are ZERO size and are marked as symbol file type. What this means is that the files in the folder are just links to actual files that are stored at some other place. If you are curious about the actual certificate files, you can locate them in C:\Certbot\archive\{domain} folder. For all practical purposes, you shall work with files in C:\Certbot\live\{domain} folder only.
There is one last step that you will need to perform to install TLS certificate file generated by Let's Encrypt in IIS. You will need to create PFX file from the certificate files in C:\Certbot\live\{domain} folder. You may be wondering why this extra step. For sake of curiosity try to import PEM file in IIS. You will get an error complaining that file does not contain private key. You will need to combine the PEM files to generate PFX file that you can import in IIS.
Run the following command in your windows server.
openssl pkcs12 -export -out c:\development\globalagrimarkets_cert.pfx -inkey "C:\Certbot\live\globalagrimarkets.com\privkey.pem" -in "C:\Certbot\live\globalagrimarkets.com\cert.pem" -certfile "C:\Certbot\live\globalagrimarkets.com\chain.pem" -password pass:password123
Successful execution of above command will generate a PFX file that you will export into IIS.
Now the final step of deploying the security certificate in IIS. In IIS manager, you can choose import option and provide location of PFX file. This will complete deployment of your free TLS/SSL certificate provided by Let's Encrypt.
One of the common problems I have come across with TLS certificates is that people forget to renew the certificates. Certbot ACME agents takes care of this for you. It will automatically renew the certificates before the expiration date.
This is all that you will need to generate a free TLS/SSL certificate for websites hosted in IIS. You can verify all the above by visiting https://www.globalagrimarkets.com. You will find that site is secure and contains a valid TLS/SSL certificate issued by a CA.
Free TLS/SSL Certificate For Websites
The certificate chain was issued by an authority that is not trusted
How to plan CCSP Exam preparation
Develop a MongoDB pipeline to transform data into time buckets
Alert and Confirm pop up using BootBox in AngularJS
AngularJS Grouped Bar Chart and Line Chart using D3
How to lock and unlock account in Asp.Net Identity provider
2024 © Byteblocks, ALL Rights Reserved. Privacy Policy | Terms of Use