SSL certificates play an important role in securing your site and the data exchange between the server and the user. In this tutorial, you will learn how to generate a Let’s Encrypt SSL certificate on Windows Server 2016 using the IIS web server.
- Cloud VPS or Dedicated Server with Windows Server 2016 installation.
- Log in as administrative user via Remote Desktop Protocol.
- A domain name pointed to your server. In this tutorial, we will use s30239.hosted-by-snel.com. Replace all occurrences of s30239.hosted-by-snel.com with your actual domain name.
- IE Enhanced Security Configuration should be turned off since you will need to download files from the server.
Step 1: Install IIS (Internet Information Services) Server
You can install IIS from the Server Manager. Launch Server Manager from the Start Menu. Click on Add roles and features link on the main screen. The following are the steps you need to follow on each screen to install IIS.
- Before You Begin – This page just explains what the Add roles and features wizard does. You can check the Skip this page by default option so that you don’t get to see this page again.
- Installation Type – Choose Role-based or feature-based installation and click Next.
- Server Selection – Select your server listed in the Server pool under the option Select a server from the server.
- Server Roles – Scroll down the list of roles to find Web Server (IIS) and checkmark it. When prompted for the required features, just click on the Add Features button without making any changes. Click the Next button when finished.
- Features – Don’t choose anything and click Next to proceed to the next screen as we don’t want to install anything here.
- Web Server Role – Click Next to go to the Role Services screen. Here you can add additional features to your IIS installation. Scroll down to select the FTP Server feature should you need it. In case you need any additional features, select them. Click Next when finished.
- Confirmation – Review the changes and click the Install button to start the installation.
Once the installation finishes, you can use a web browser to access your website. You should see the default IIS welcome page.
Step 2: Create a Website
Before installing the certificate, we will need a website. For this, we will create a simple demo site. Open the directory
C:\inetpub\wwwroot and create a folder named s30239.hosted-by-snel.com. Launch Notepad and paste the following code into it.
<!DOCTYPE html> <html> <head> <title>Demo Snel Site</title> </head> <body> <h1> Hello World </h1> </body> </html>
Save the file in the folder we just created and name it index.html.
The next step is to add this site to the IIS server.
Step 3: Add Site to IIS
Launch IIS Manager from the Start Menu. Expand HOST –> Sites in the left pane and you will see the default website. Click on the Add Website link in the rightmost pane to add a new site.
Provide a site name with which to identify your site. Leave the Application Pool value changed. Select the path which we just created in Step 2 above. Enter the value of Host Name as s30239.hosted-by-snel.com and leave all other values unchanged. Click the OK button when finished to add the website.
Open the web browser to open your domain and you can see our demo HTML page being loaded.
Step 4: Download Let’s Encrypt Client
In this tutorial, we will use the win-acme client as it is open-source and actively developed. It can both generate and renew SSL certificates.
Download the latest version of the client from its Github releases page. Scroll down to the assets on the page and download the zip file with the name win-acme.v2.1.x.xxx.x64.trimmed.zip. For most users, the trimmed x64 release should be fine but in case you need to use any plugins, you should get the pluggable file. In this tutorial, we will use the trimmed file.
If you have trouble using Internet Explorer, you can follow our tutorial to install Google Chrome on the Windows Server. Once downloaded, extract win-acme to a safer location.
Step 5: Generate Let’s Encrypt Certificates
To generate the certificate, simply run wacs.exe from the client’s folder. Once the application starts, follow these steps.
- Press N on the initial menu to choose the option to “Create a new certificate”.
- Next, it will ask you which website(s) should be scanned for hostnames. You will be presented with a list of sites on your IIS server. Select the number corresponding to your site. (2 in our tutorial)
- Next, it will list the site bindings(URLs) corresponding to your selection and ask you to select a binding. Since we had only 1 URL, we will choose option 3 which represents all bindings.
- It will then ask you to confirm your selection. Enter y to proceed.
- Next, it will ask you for your email address to send renewal notices. Enter your email id and enter n & y for the next two options to agree to the terms. You can also enter y for both the options but then it tries to open the TOS(Terms of Service) in the default pdf application which if you don’t have any will just result in a popup window you will need to dismiss.
- That’s it. Your certificate is now ready for use. It will also create a scheduled task that will run daily to renew your certificate.
Step 6: Verify SSL
To verify that the SSL is working, launch https://s30239.hosted-by-snel.com in your browser and you can see the valid certificate sign in the address bar.
That’s all for this tutorial. We covered how to install IIS server, set up a basic website and install SSL for your site using Let’s Encrypt service.