Secure website using

Let’s Encrypt
with IIS on Windows Server

Pradeep Kumar Saxena, STD

Drinking Water/Sanitation Informatics Division
New Delhi
Pradeep.saxena@nic.in
 Secure Hosting
 Allows a website to be accessed using the HTTPS protocol which encrypts
the data transmitted between a visitor's web browser and the website.

 Accomplished by adding an SSL certificate to the domain.

 SSL Certificate is an industry standard that is used by millions of websites

worldwide to protect all communication and data that's transmitted online
through the websites.
Secure Hosting

 The main benefits of SSL connections revolve around privacy and data
integrity. Connections are private because the encryption prevents
eavesdropping.
 Data integrity is ensured by cryptographically verifying that you’re
connecting to the correct server (and not an imposter), and by
verifying that individual messages are not tampered with in transit.
Secure Hosting

 The push to get more and more web traffic secured with SSL
encryption means that an increasing number of services need a
solution for obtaining the proper certificates.
 Whether it's a public website, intranet traffic, or a staging server for
any web app, a certificate is needed to protect data and meet the
modern security expectations of users.
 Let's Encrypt is a open certificate authority that provides
free X.509 certificates for Transport Layer Security (TLS)
encryption via an automated process designed to eliminate the
complex process of manual creation, validation, signing,
installation and renewal of certificates for secure websites.
 It offers FREE SSL certificates that are just as secure as paid
certificates.
 The organization behind Let’s Encrypt is Internet Security
Research Group (ISRG) and they have a lot of official sponsors.
 Today Let’s Encrypt is already trusted by most browsers. To achieve
this Let’s Encrypt’s intermediate Certificate Authorities have been
cross-signed by IdenTrust.
 The certificate issuance is based on Domain Validation, which means
that you have to prove your ownership of a domain name by creating
a publicly accessible file under that domain name. You are then
allowed to request a free SSL certificate for that domain name.
 Let's Encrypt provides an automated mechanism to
request and renew free domain validated certificates.

 They've created a standard protocol – ACME – for

interacting with the service to retrieve and renew
certificates automatically.
 Automated Certificate Management Environment (ACME) is a
challenge–response protocol which involves various requests to
the web server on the domain that is covered by the certificate.
 Based on whether the resulting responses match the
expectations, control of the enrolee over the domain is assured
(domain validation).
 In order to do that, the ACME client software sets up a special TLS server on
the server system that gets queried by the ACME certificate authority
server with special requests using Server Name Indication (Domain
Validation using Server Name Indication, DVSNI).
 The validation processes are run multiple times over separate network
paths.
 DNS entries are checked from multiple geographically diverse locations to
make DNS spoofing attacks harder.
 The validity time of certificates from Let’s Encrypt is shorter, only 90
days instead of the usual 1-3 years for SSL certificates.
 But since re-enrollment is automatic (and free) it is not an issue.
 Certificate will have the Enhanced Key Usage Server Authentication and
Client Authentication, which means that it can also be used for other
things than just web servers, such as VPN servers, email servers etc.
 Free Wildcard Certificates : Wildcard certificates allow you to secure a
domain and any subdomains under that domain or multiple domains.

 Wildcard domains do not secure the root domain so you must re-enter
the root domain if you want it to be secured under one certificate.

 To generate wildcard certificates add an asterisk to the beginning of

the domain(s) followed by a period.
 For example - To create a wildcard certificate for multiple
domains such as test.gov.in and test.com
enter *.test.gov.in test.gov.in *.test.com test.com
 www version of the domain is automatically added as most users
want that implicitly, but if not required, it can be removed while
verifying the domain.
 Benefits
Key benefits of using a Let’s Encrypt SSL certificate:

 It's free – Anyone who owns a domain can obtain a trusted

certificate at zero cost.

 It's automatic – The entire enrolment process for certificates occurs

painlessly during the server’s native installation or configuration
process. The renewal occurs automatically in the background.
 Benefits

 It's simple – There's no payment, no validation emails, and

certificates renew automatically.

 It's secure – Let’s Encrypt serves as a platform for implementing

modern security techniques and best practices.
Difference ?

 There is no difference in the encryption protection. However,

'Let's Encrypt' certificates only provide domain validation (DV)
certificates. Do not support Organizational Validation (OV)
certificates.
Difference ?

 (DV) certificates can only ensure a secure connection to the

website. (OV) certificates validate Domain as well as
organizational information about who is purchasing the
certificate such as their Name, City, State, and Country.

 Certificates can only be generated for registered domain names

and not for IP addresses.
 Rate limits

Let's Encrypt has set up rate limitations to help protect their servers.
Limits are as follows:

 Names/Certificate – Number of Domain names which can be

included in one certificate – limit 100
 Rate limits

 Registrations/IP address – The number of registrations in a given

time period - limit 500 per 3 hours.

 Pending Authorizations/Account – No. of times an ACME client can

request a domain name be authorized without actually fulfilling on
the request itself - limit 300 per account per week.
Windows Support

When Let's Encrypt was initially launched 2 years back, there was
no Windows support. Even now There‘s no official Let’s Encrypt
client for Windows provided by Let’s Encrypt, However, now there
are a few tools available that provide wrappers for the Automated
Certificate Management Environment (ACME) API.
Windows Support

Options available are:

 LetsEncrypt-Win-Simple : A Windows Command Line utility

 ACMESharp PowerShell Commands

 Certify : A GUI implementation of the ACME API

Windows Support
LetsEncrypt-Win-Simple
 The easiest way to create and install a new certificate is LetsEncrypt-
Win-Simple. This tool runs from the command line and has a few very
easy to understand options.
 This tool is basically wrapping up all the intermediate steps of creating a
registration, domain and certificate.
 When it is run again, it uses the existing store to retrieve the existing
registration and domain information to run a renewal.
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

 Make sure that the website is accessible from Internet on port 80.

 Get the ports 80 & 443 opened from public IP of server to *.*.*.* for 2
days for url https://acme-v01.api.letsencrypt.org by applying on
https://farps.nic.in

 If the website is behind WAF, then allow ‘.’ & ‘-‘ in the URL for that
website.
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

 Download the Letsencrypt

client from the following
link

 Extract the zip file

https://github.com/Lone-Coder/letsencrypt-win-simple/releases
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

 Open IIS

 Click on <Sites>

 Click on <Handler
Mappings>
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

 View Ordered List

 Move entry with
name <StaticFile> Up
above the entry
<ExtensionlessUrlHa
ndlers>
 GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
 Click <Mime Types>
 Add
 Enter Filename Ext:
<.*> & MIME
Type:
<application/octet-
stream>
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

 Create a directory
named .well-known
in the folder
c:\inetpub\wwwroot

 Run letsencrypt.exe
as Administrator

 Enter M to create new certificate with advanced options

 GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

It will ask -
 Which kind
of certificate
would you
like to
create?

 Enter 1 for single website

 GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
 It will display the
sites available in your
system and will ask
you to choose.
 In next query “How
would you like to
validate this
certificate?” enter 5
for self-host
verification files.
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

Which installer should

run for the certificate?

 Enter 2 for creating

https bindings in IIS
 GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

 After asking for your

email address, It will
ask whether you agree
to the subscriber
Agreement
 Enter ‘y’
 The certificate gets
generated and
installed automatically
in the IIS.
 GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
 If you also have a
parallel second server
then install this
certificate on that
server also, For which
you have to export
this certificate and
copy that certificate
file to the second
server and import on
that server.
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
 GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
 Copy this
pfx file on
the second
server and
install the
certificate.
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

 Open IIS
 Click <Sites>
 Choose the
website
 Click <Bindings..>
 In the Pop-up
menu click <Add>
 GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS
 Select the type as
<https> and the IP
address of the server.
 Give the port no. 443
 Select the certificate
from the drop down
menu
 Press OK.
GENERATING SSL CERTIFICATE FROM LET'S ENCRYPT CA FOR IIS

 Also remember to configure HTTP to HTTPS redirection for

the website.
 After running the new certificate for around 10 days, delete
the old certificate (if any) from the following -
IIS -----> Server -----> Server Certificate -----> Old Certificate --> R
 The idea of free and open source SSL certificates is certainly coming
at the right time as we are looking at a big push from big Internet
players to try and enforce SSL on every Internet connection.

 Most Google APIs that you can integrate with your website today
like maps, geolocation, translate, graphs and so on, all must
originate from secure endpoints of your source site in order to
work.
SSL/TLS is no longer an option but a necessity for any website,
large or small. And now, with new tools and free certificates
available from Let’s Encrypt, there’s no longer any excuse for not
using encrypted HTTP. Anything public should just run on HTTPS.
Setting up a new certificate, even on Windows and IIS can now
literally be done in a few minutes.
It's not just about free certificates either – the fact that the
certificate generation can be completely automated is also
appealing especially with those that have large numbers of
sites and certificates.
Thank You
E-Mail – pradeep.saxena@nic.in

Mobile – 9415024294, 9415630965