Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt
-
Getting an SSL cert, and even a wildcard SSL cert, for IIS on Microsoft Windows Server is pretty easy, if you use a third party tool to manage your certs.
If you are purely using the command line via PowerShell, you will likely want to check out ACMESharp.
For most IIS Admins, you likely want a simple GUI to handle your SSL certificates. I like Win-ACME. To use, simply download the latest version, and extract it. Inside the resulting folder is a binary called letsencrypt.exe. Simple double click and you get a simple, menu driven system to handle your SSL cert requests.
Once run, the menu is simple and straight forward.
Hit N to request a new cert.
Here you can choose "1" if you just want a traditional cert. Very easy. But for a wildcard, which is the newer and more exciting option, then we want to choose option "3".
Once you choose options 1, 2, or 3, you will be presented with a list of your sites running on IIS. If using option 1, you simple select the one that you want to generate. If using option 3, you can input a list of the sites you want to generate the wildcard to handle. This can be a comma separated list of the numbers to include (each site is listed with a number) or just select S to generate a wildcard for all available sites.
A few seconds later, you should have your certs. That's all we need to do with LetsEncrypt, it is that simple. But we still need to manage our bindings in IIS to use the new certs.
Open the Internet Information Server (IIS) Manager, and open the tree on the left to expose the list of your "Sites". Right click on the name of the Site(s) to which you want to apply the new certificate and choose Edit Bindings.... Find the HTTPS option there, select it, and choose "Edit".
Now under the SSL certificate drop down, you should see the new cert that you just created. Select it and hit "Ok".
That's it! Enjoy your new cert.
-
@scottalanmiller Wildcard certs work now, so the Exchange server needing 4 just for it is now this easy?
-
@travisdh1 said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller Wildcard certs work now, so the Exchange server needing 4 just for it is now this easy?
In theory, yeah.
-
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@travisdh1 said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller Wildcard certs work now, so the Exchange server needing 4 just for it is now this easy?
In theory, yeah.
I might have to try spinning up a temp one to try this. Could make life that much easier for a bunch of us at work.
-
@scottalanmiller Is this for self-issued certificates?
-
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller Is this for self-issued certificates?
No, this is for LetsEncrypt certs.
-
Is the Win-ACME tool scheduling the renewal of the LetsEncrypt SSL certificates?
-
@magicmarker said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
Is the Win-ACME tool scheduling the renewal of the LetsEncrypt SSL certificates?
It doesn't do the scheduling itself, but recommends that you schedule it with the task scheduler to auto-renew.
-
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller Is this for self-issued certificates?
No, this is for LetsEncrypt certs.
I must admit, this is the first time I've heard of them.
I've looked at the site and if I read things correctly, we can use their certificates for Remote Desktop Services publishing where we have an internal domain setup?
-
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller Is this for self-issued certificates?
No, this is for LetsEncrypt certs.
I must admit, this is the first time I've heard of them.
Seriously? You need to get out more.
-
@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.
-
@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.
Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?
-
@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller Is this for self-issued certificates?
No, this is for LetsEncrypt certs.
I must admit, this is the first time I've heard of them.
Seriously? You need to get out more.
Heh … that's one of the reasons I'm on this forum.
-
Glad they finally got wildcard. For years every time SSL cert cost came up on slashdot I argued that it was basically a scam and was even more irritated when everyone seemingly at the same time went to require signed certificates. It was like Verisign bribed everyone. LetsEncrypt made life better and I was disappointed they didn't support wildcards for a while but glad to see it finally.
So much for all those counter arguments on slashdot that the cost is for the insurance in case the certificate doesn't properly work or something else unclear, as if any of the potential problems wouldn't also be a problem for the entire Internet infrastructure when it came to security. Really people are just paying thousands of dollars in some cases for 640 bytes, or whatever, to be stored at a server somewhere and some requests for verification from time to time. It's a racket. If you want a CA though still gotta pay through the nose unless you push your CA cert to all the work stations in your business or whatever.
LetsEncrypt is the best thing to happen to the Internet, but especially the web, since IPSec and SSL itself.
-
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.
Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?
One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.
-
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.
Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?
One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.
Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.
-
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.
Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?
One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.
Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.
It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one.
-
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.
Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?
One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.
Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.
It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one.
Got it thanks. Looks like a bit of a learning curve then.
-
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:
@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.
Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?
One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.
Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.
It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one.
Got it thanks. Looks like a bit of a learning curve then.
It's not bad. I find learning the LE pieces easier than learning to do it the old fashioned way
And with LE it is "learn once and ignore", rather than "learn once, forget, do again in a year or two all over again."
