====== Install & Configure CertBot on Windows with IIS ======

[[https://certbot.eff.org/lets-encrypt/windows-other.html|CertBot - Windows Other]]

  - Download & Install [[https://dl.eff.org/certbot-beta-installer-win32.exe|CertBot (beta)]]
  - Open MS-DOS command prompt in //Administrator// mode, run the following commands to generate SSL certificate using //DNS// challenge:<WRAP center round info 100%>There are 2 types of Challenges that CertBot supports in-order to validate ownership of Domain for which the SSL certificate is being generated, they are:
  - HTTP
  - DNS
For more details refer to [[https://certbot.eff.org/docs/challenges.html|https://certbot.eff.org/docs/challenges.html]]
</WRAP><WRAP center round alert 60%>
<block>Replace <<Email Address>></block>
<block>Replace <<Domain Name>></block>
</WRAP><code>
certbot certonly --manual --preferred-challenges dns --email "<<Email Address>>" --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d <<Domain Name>>
</code>
  - Type //Y// and press //[ENTER]// key at the following prompt:<code>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: </code>You will see following output:<code>Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for <<Domain Name>>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
</code>
  - Type //Y// and press //[ENTER]// key at the following prompt:<code>
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 
</code>You will see the following output:<code>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.<<Domain Name>> with the following value:

<<DNS TXT Record>>

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
</code>
  - Download & Install OpenSSL for Windows <WRAP center round info 60%>
<block>[[https://slproweb.com/products/Win32OpenSSL.html|https://slproweb.com/products/Win32OpenSSL.html]]</block>
<block>[[https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe|https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe]]</block>
</WRAP>
  - Select option to copy OpenSSL libraries to OpenSSL ///bin// folder
  - In the MS-DOS command prompt window in Step 2 or a new MS-DOS command prompt window, run the following commands to create PFX file:<WRAP center round info 60%>
[[https://community.letsencrypt.org/t/create-pfx-certificate/86949|https://community.letsencrypt.org/t/create-pfx-certificate/86949]]
</WRAP><WRAP center round alert 60%>
Replace <<Domain Name>>
</WRAP><code>cd /d "C:\Program Files\OpenSSL-Win64\bin"
openssl pkcs12 -export -out "C:\Certbot\archive\<<Domain Name>>\<<Domain Name>>.pfx" -inkey "C:\Certbot\archive\<<Domain Name>>\privkey1.pem" -in "C:\Certbot\archive\<<Domain Name>>\cert1.pem" -certfile "C:\Certbot\archive\<<Domain Name>>\chain1.pem" -password pass:<<password>>
</code>
  - Launch //Internet Information Services (IIS) Manager// from //Control Panel// → //Administrative Tools//
  - Click on Server tree node underneath //Start Page// in the left-side navigation panel
  - Click on //Server Certificates// under //IIS// section in the middle work area
  - Click on //Import...// link in right side actions panel
  - Using //...// button next to //Certificate file (.pfx)://, select the PFX file generated in Step 7
  - Enter the password entered in Step 2 in //Password// field
  - Click //OK// to Import the certificate<WRAP center round info 60%>Now you should see the imported certificate in the list of IIS Server Certificates in middle work area</WRAP>
  - Expand //> Sites// underneath the Server tree node in left-side navigation panel
  - Click on the Site that has HTTPS binding to which the certificate needs to be assigned-to
  - Click on //Bindings...// in right-side action panel
  - Select the HTTPS Binding and Click on //Edit...// or create a new binding (if not present)
  - In the //SSL certificate:// drop-down, select the newly imported SSL certificate in Step 14