Professional Documents
Culture Documents
Let’s Encrypt
with IIS on Windows Server
The main benefits of SSL connections revolve around privacy and data
integrity. Connections are private because the encryption prevents
eavesdropping.
Data integrity is ensured by cryptographically verifying that you’re
connecting to the correct server (and not an imposter), and by
verifying that individual messages are not tampered with in transit.
Secure Hosting
The push to get more and more web traffic secured with SSL
encryption means that an increasing number of services need a
solution for obtaining the proper certificates.
Whether it's a public website, intranet traffic, or a staging server for
any web app, a certificate is needed to protect data and meet the
modern security expectations of users.
Let's Encrypt is a open certificate authority that provides
free X.509 certificates for Transport Layer Security (TLS)
encryption via an automated process designed to eliminate the
complex process of manual creation, validation, signing,
installation and renewal of certificates for secure websites.
It offers FREE SSL certificates that are just as secure as paid
certificates.
The organization behind Let’s Encrypt is Internet Security
Research Group (ISRG) and they have a lot of official sponsors.
Today Let’s Encrypt is already trusted by most browsers. To achieve
this Let’s Encrypt’s intermediate Certificate Authorities have been
cross-signed by IdenTrust.
The certificate issuance is based on Domain Validation, which means
that you have to prove your ownership of a domain name by creating
a publicly accessible file under that domain name. You are then
allowed to request a free SSL certificate for that domain name.
Let's Encrypt provides an automated mechanism to
request and renew free domain validated certificates.
Wildcard domains do not secure the root domain so you must re-enter
the root domain if you want it to be secured under one certificate.
Let's Encrypt has set up rate limitations to help protect their servers.
Limits are as follows:
When Let's Encrypt was initially launched 2 years back, there was
no Windows support. Even now There‘s no official Let’s Encrypt
client for Windows provided by Let’s Encrypt, However, now there
are a few tools available that provide wrappers for the Automated
Certificate Management Environment (ACME) API.
Windows Support
Make sure that the website is accessible from Internet on port 80.
Get the ports 80 & 443 opened from public IP of server to *.*.*.* for 2
days for url https://acme-v01.api.letsencrypt.org by applying on
https://farps.nic.in
If the website is behind WAF, then allow ‘.’ & ‘-‘ in the URL for that
website.
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
https://github.com/Lone-Coder/letsencrypt-win-simple/releases
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
Open IIS
Click on <Sites>
Click on <Handler
Mappings>
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
Create a directory
named .well-known
in the folder
c:\inetpub\wwwroot
Run letsencrypt.exe
as Administrator
It will ask -
Which kind
of certificate
would you
like to
create?
Open IIS
Click <Sites>
Choose the
website
Click <Bindings..>
In the Pop-up
menu click <Add>
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
Select the type as
<https> and the IP
address of the server.
Give the port no. 443
Select the certificate
from the drop down
menu
Press OK.
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
Most Google APIs that you can integrate with your website today
like maps, geolocation, translate, graphs and so on, all must
originate from secure endpoints of your source site in order to
work.
SSL/TLS is no longer an option but a necessity for any website,
large or small. And now, with new tools and free certificates
available from Let’s Encrypt, there’s no longer any excuse for not
using encrypted HTTP. Anything public should just run on HTTPS.
Setting up a new certificate, even on Windows and IIS can now
literally be done in a few minutes.
It's not just about free certificates either – the fact that the
certificate generation can be completely automated is also
appealing especially with those that have large numbers of
sites and certificates.
Thank You
E-Mail – pradeep.saxena@nic.in