SSL certificates are a useful step to protect your web application server by securing data exchange. This guide explains how to install a Let's Encrypt SSL certificate on Windows Server 2019 with the Internet Information Services (IIS) web server.
Test your IIS installation by visiting your public server IP address.
http://192.0.2.123
The default IIS welcome web page should display.
C:\inetpub\example.com
.notepad
in the text field.Add the following HTML contents to the new Notepad file.
<html>
<head>
<title>Hello World</title>
</head>
<body>
<h1>Hello World!</h1>
</body>
</html>
Save the file as index.html
in your domain files directory. For example: C:\inetpub\example.com\index.html
Expand Sites, and click Add Website on the right Actions bar.
Enter your Web Application name in the Site Name: field.
...
to browse and set the Physical path: to your domain web files directory.http
as the Type under Binding, and 80
as the port.Visit your domain to confirm successful integration.
http://example.com
The hello world HTML application should display.
You can install a certificate with either Certbot or the Win-acme client. Please review both sections below before choosing an installation method.
Enter the following commands to request a free Let's Encrypt SSL certificate. Replace example.com
with your actual domain.
PS> certbot -d example.com -m admin@example.com --agree-tos --webroot
Enter the path to your domain files directory created earlier. For example, C:\inetpub\example.com
.
Certbot stores your SSL certificate in the installation directory's live
folder and automatically renews it before the certificate expiry date. Certbot generates and saves SSL certificates as .pem
files. However, the IIS certificate store requires the .pfx
format. Convert your Certbot certificates using OpenSSL and bind them to your domain, as explained in the following steps.
Download the latest OpenSSL installation file from an official download link.
Open Windows PowerShell and switch to the OpenSSL program directory. For example, if installed in program files, run the following command.
PS> cd "C:\Program Files\OpenSSL-Win64\bin"
Enter the following commands to convert your Certbot certificates to the .pfx
format.
PS> .\openssl.exe pkcs12 -export -out C:\Certbot\live\example.com\certificate.pfx -inkey C:\Certbot\live\example.com\privkey.pem -in C:\Certbot\live\example.com\fullchain.pem
Enter a strong password to secure your certificate file.
Double click to openServer Certificates.
Click Import from the right Actions navigation bar.
.pfx
certificate file, or click ...
to browse the directory.https
from the drop-down options.443
as the Port:, and enter your domain in the Hostname: field.Select your imported certificate from the SSL Certificate: drop-down list.
Click OK to save changes and close the Site Bindings window.
You have successfully installed your SSL certificate, visit the domain in a web browser to confirm the access is secure. For example, navigate to https://example.com
and verify the certificate is correct.
This method is easier for most users.
Win-Acme is another Let's Encrypt client that is easier to use and installs SSL certificates directly to the IIS certificate store. Download the latest win-acme version from the official website and follow the steps below.
wacs.exe
application.y' to continue with your selection,
y' to open with the default web server application, `y' to agree to the Let's Encrypt terms.Visit your domain name to confirm HTTPS access.
https://example.com
Click Add Rules on the right Actions bar.
Under Inbound Rules, select Blank rule and click OK
Matches the Pattern
, Regular Expressions
as the Requested URL: and Using: options.(.*)
in the Pattern: field and uncheck Ignore case.{HTTPS}
In the Condition Input: field, and keep Matches the Pattern unchanged.^OFF$
in the Pattern: field.Redirect
.https://{HTTP_HOST}{REQUEST_URI}
in the Redirect URL field.Permanent (301)
.Visit your domain name to test the redirection.
http://example.com
Your browser should automatically redirect you to the HTTPS version.
If your redirect does not work in any way, open your domain web files directory and confirm that a web.config
file exists. If it's missing, create one using Notepad and add the following configurations.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Save the file and test your domain redirection in a web browser.
You have successfully installed a Let's Encrypt SSL Certificate on your Windows Server with the Internet Information Services (IIS) web server. To run various web applications on the server, visit the following articles.