====== Install & Configure CertBot on Windows with IIS ======
[[https://certbot.eff.org/lets-encrypt/windows-other.html|CertBot - Windows Other]]
- Download & Install [[https://dl.eff.org/certbot-beta-installer-win32.exe|CertBot (beta)]]
- Open MS-DOS command prompt in //Administrator// mode, run the following commands to generate SSL certificate using //DNS// challenge:There are 2 types of Challenges that CertBot supports in-order to validate ownership of Domain for which the SSL certificate is being generated, they are:
- HTTP
- DNS
For more details refer to [[https://certbot.eff.org/docs/challenges.html|https://certbot.eff.org/docs/challenges.html]]
Replace <>
Replace <>
certbot certonly --manual --preferred-challenges dns --email "<>" --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d <>
- Type //Y// and press //[ENTER]// key at the following prompt:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
You will see following output:Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for <>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
- Type //Y// and press //[ENTER]// key at the following prompt:
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
You will see the following output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.<> with the following value:
<>
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
- Download & Install OpenSSL for Windows
[[https://slproweb.com/products/Win32OpenSSL.html|https://slproweb.com/products/Win32OpenSSL.html]]
[[https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe|https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe]]
- Select option to copy OpenSSL libraries to OpenSSL ///bin// folder
- In the MS-DOS command prompt window in Step 2 or a new MS-DOS command prompt window, run the following commands to create PFX file:
[[https://community.letsencrypt.org/t/create-pfx-certificate/86949|https://community.letsencrypt.org/t/create-pfx-certificate/86949]]
Replace <>
cd /d "C:\Program Files\OpenSSL-Win64\bin"
openssl pkcs12 -export -out "C:\Certbot\archive\<>\<>.pfx" -inkey "C:\Certbot\archive\<>\privkey1.pem" -in "C:\Certbot\archive\<>\cert1.pem" -certfile "C:\Certbot\archive\<>\chain1.pem" -password pass:<>
- Launch //Internet Information Services (IIS) Manager// from //Control Panel// → //Administrative Tools//
- Click on Server tree node underneath //Start Page// in the left-side navigation panel
- Click on //Server Certificates// under //IIS// section in the middle work area
- Click on //Import...// link in right side actions panel
- Using //...// button next to //Certificate file (.pfx)://, select the PFX file generated in Step 7
- Enter the password entered in Step 2 in //Password// field
- Click //OK// to Import the certificateNow you should see the imported certificate in the list of IIS Server Certificates in middle work area
- Expand //> Sites// underneath the Server tree node in left-side navigation panel
- Click on the Site that has HTTPS binding to which the certificate needs to be assigned-to
- Click on //Bindings...// in right-side action panel
- Select the HTTPS Binding and Click on //Edit...// or create a new binding (if not present)
- In the //SSL certificate:// drop-down, select the newly imported SSL certificate in Step 14