Creating Free SSL Certificates For Windows Server Using Let’s Encrypt
I usually need SSL certificates for staging and production environments. For a long time creating self-signed digital certificates was the only option if you were not willing to spend money for it.
Well, not any more. Let’s Encrypt is a non-profit CA (certificate authority) which provides free digital certificates to enable SSL.
In this guide I’ll try to explain how to get a SSL certificate for my staging Windows 2016 server. The server is a virtual machine created in Azure. If you are using Azure Virtual Machines you can setup a free DNS name for that server. This means once you setup IIS on that server you can access your websites in that server via that domain name instead of the IP address.
There are many ways of generating SSL certificates from Let’s Encrypt. In this post I’ll use SSL For Free to obtain the certificates for my domain.
First right your domain name (the one you get from Azure Virtual Machine) and click “Create Free SSL Certificate” button.
You have 3 options to verify that you own the domain. I chose “Manual Verification” since I have a virtual server that I can connect and manage.
To manually verify domain in a HTTP server you need to follow these steps:
- Upload the file to the server
- Create a web site that can serve this file as a web page.
- Verify the page in SSL For Free.
The verification process requires a specific GET request in the following format:
To provide this I created a new website (“letsencrypt”) in IIS. And applied these steps:
- The requested url includes “.well-known” but in windows you can not start a folder name with a “.”. To solve this problem create a “Virtual Folder” named “.well-known” pointing to the folder “well-known”.
- Browse to the “letsencrypt/well-known” folder in Explorer.
- Create a new folder named “acme-challenge”.
- Under “acme-challenge” folder, create “the-random-string-in-url” folder.
- Under that folder put the uploaded file.
- Do the same for all other requested files.
At the end the actual folder structure should be like this:
Now, you can test your connection by clicking on the verification link. If you get a 200 response showing a text on your browser. This means you are ready to request your SSL certificates.
On SSL For Free website click on “Download SSL Certificate” button. You will get a “private.key”, “certificate.crt” and “ca_bundle.crt”. You can download these files to you computer.
You should be aware that Let’s Encrypt certificates have a relatively short expiration dates (90 days). So don’t forget to renew you certificates before they expire.
You can use OpenSSL tool to create .pfx file out of these files. If you don’t have OpenSSL on your development machine you can get it from https://slproweb.com/products/Win32OpenSSL.html for your Windows 10 development machine.
Copy the certificate files to a folder (“sslforfree”) under OpenSSL bin folder.
Start a command prompt on the OpenSSL bin folder and execute the following command to create a PFX file:
.\openssl.exe pkcs12 -export -out "sslforfree/certificate_combined.pfx" -inkey "sslforfree/private.key" -in "sslforfree/certificate.crt" -certfile sslforfree/ca_bundle.crt
It will ask you to set a password (twice) for the .pfx file.
Now you can import your .pfx file in your Windows Server and use freely.
Hope it helps!