====== Install & Configure CertBot on Windows with IIS ====== [[https://certbot.eff.org/lets-encrypt/windows-other.html|CertBot - Windows Other]] - Download & Install [[https://dl.eff.org/certbot-beta-installer-win32.exe|CertBot (beta)]] - Open MS-DOS command prompt in //Administrator// mode, run the following commands to generate SSL certificate using //DNS// challenge:There are 2 types of Challenges that CertBot supports in-order to validate ownership of Domain for which the SSL certificate is being generated, they are: - HTTP - DNS For more details refer to [[https://certbot.eff.org/docs/challenges.html|https://certbot.eff.org/docs/challenges.html]] Replace <> Replace <> certbot certonly --manual --preferred-challenges dns --email "<>" --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d <> - Type //Y// and press //[ENTER]// key at the following prompt:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: You will see following output:Obtaining a new certificate Performing the following challenges: dns-01 challenge for <> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. - Type //Y// and press //[ENTER]// key at the following prompt: Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: You will see the following output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.<> with the following value: <> Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue - Download & Install OpenSSL for Windows [[https://slproweb.com/products/Win32OpenSSL.html|https://slproweb.com/products/Win32OpenSSL.html]] [[https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe|https://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.exe]] - Select option to copy OpenSSL libraries to OpenSSL ///bin// folder - In the MS-DOS command prompt window in Step 2 or a new MS-DOS command prompt window, run the following commands to create PFX file: [[https://community.letsencrypt.org/t/create-pfx-certificate/86949|https://community.letsencrypt.org/t/create-pfx-certificate/86949]] Replace <> cd /d "C:\Program Files\OpenSSL-Win64\bin" openssl pkcs12 -export -out "C:\Certbot\archive\<>\<>.pfx" -inkey "C:\Certbot\archive\<>\privkey1.pem" -in "C:\Certbot\archive\<>\cert1.pem" -certfile "C:\Certbot\archive\<>\chain1.pem" -password pass:<> - Launch //Internet Information Services (IIS) Manager// from //Control Panel// → //Administrative Tools// - Click on Server tree node underneath //Start Page// in the left-side navigation panel - Click on //Server Certificates// under //IIS// section in the middle work area - Click on //Import...// link in right side actions panel - Using //...// button next to //Certificate file (.pfx)://, select the PFX file generated in Step 7 - Enter the password entered in Step 2 in //Password// field - Click //OK// to Import the certificateNow you should see the imported certificate in the list of IIS Server Certificates in middle work area - Expand //> Sites// underneath the Server tree node in left-side navigation panel - Click on the Site that has HTTPS binding to which the certificate needs to be assigned-to - Click on //Bindings...// in right-side action panel - Select the HTTPS Binding and Click on //Edit...// or create a new binding (if not present) - In the //SSL certificate:// drop-down, select the newly imported SSL certificate in Step 14