How to Install a Let’s Encrypt SSL/TLS Certificate on Windows Server 2019 with Internet Information Services (IIS)

Updated on July 6, 2022
How to Install a Let’s Encrypt SSL/TLS Certificate on Windows Server 2019 with Internet Information Services (IIS) header image

SSL certificates are a useful step to protect your web application server by securing data exchange. This guide explains how to install a Let's Encrypt SSL certificate on Windows Server 2019 with the Internet Information Services (IIS) web server.

Prerequisites

1. Install IIS

  1. From the Windows start menu, open Server Manager.

  2. Click Add roles and features.

  3. Select Role-based or feature-based installation, and choose your server.

  4. Scroll through Server Roles and click Web Server (IIS).

  5. Add any additional IIS features you wish to install.

  6. Click Install to start the installation process.

  7. Test your IIS installation by visiting your public server IP address.

      http://192.0.2.123

    The default IIS welcome web page should display.

2. Create the Web Application

  1. Using Windows Explorer, create a new folder in the default IIS web server directory to store your domain's web files. For example, you could create a folder named C:\inetpub\example.com.

  2. Press Control + R on your keyboard to open the run utility, and enter notepad in the text field.

  3. Add the following HTML contents to the new Notepad file.

     <html>
       <head>
         <title>Hello World</title>
       </head>
         <body>
           <h1>Hello World!</h1>
         </body>
     </html>

Save the file as index.html in your domain files directory. For example: C:\inetpub\example.com\index.html

3. Setup the IIS Site with your Domain Name

  1. Open the Windows start menu and navigate to the Windows Administrative Tools subgroup.

  2. Select Internet Information Services (IIS) Manager from the list.

  3. In the IIS Manager Window, click > next to your server name to expand the list.

  4. Expand Sites, and click Add Website on the right Actions bar.

    Add new IIS Site

  5. Enter your Web Application name in the Site Name: field.

  6. Under Content Directory, click ... to browse and set the Physical path: to your domain web files directory.

  7. Keep http as the Type under Binding, and 80 as the port.

  8. To assign your domain a specific IP address, select it from the drop-down list, or keep All Unassigned to use all Server IP addresses.

  9. Enter your domain name in the Hostname: field.

  10. Click OK to save changes and automatically start the website.

  11. Visit your domain to confirm successful integration.

     http://example.com

    The hello world HTML application should display.

4. Request and Install a Certificate

You can install a certificate with either Certbot or the Win-acme client. Please review both sections below before choosing an installation method.

Option 1: Install with Certbot

  1. Download the latest Certbot installer for Windows from the official website.

  2. Open the installer, and follow the installation wizard steps.

  3. Open the Windows Start Menu and launch Windows PowerShell as an Administrator.

  4. Enter the following commands to request a free Let's Encrypt SSL certificate. Replace example.com with your actual domain.

     PS> certbot -d example.com -m admin@example.com --agree-tos --webroot

    Enter the path to your domain files directory created earlier. For example, C:\inetpub\example.com.

    Certbot stores your SSL certificate in the installation directory's live folder and automatically renews it before the certificate expiry date. Certbot generates and saves SSL certificates as .pem files. However, the IIS certificate store requires the .pfx format. Convert your Certbot certificates using OpenSSL and bind them to your domain, as explained in the following steps.

  5. Download the latest OpenSSL installation file from an official download link.

  6. Run the installer and follow the wizard steps to install OpenSSL.

  7. Open Windows PowerShell and switch to the OpenSSL program directory. For example, if installed in program files, run the following command.

     PS> cd "C:\Program Files\OpenSSL-Win64\bin"
  8. Enter the following commands to convert your Certbot certificates to the .pfx format.

     PS> .\openssl.exe pkcs12 -export -out C:\Certbot\live\example.com\certificate.pfx -inkey C:\Certbot\live\example.com\privkey.pem -in C:\Certbot\live\example.com\fullchain.pem
  9. Enter a strong password to secure your certificate file.

  10. Open the IIS Manager.

  11. Navigate to your Windows server hostname under the Connections navigation bar.

  12. Double click to openServer Certificates.

    IIS Manager Server Certificates

  13. Click Import from the right Actions navigation bar.

  14. Enter the path to your .pfx certificate file, or click ... to browse the directory.

  15. Enter the certificate file password created earlier.

  16. Click OK to import your SSL certificate file.

  17. Navigate to your domain under the Sites subgroup on the left navigation bar.

  18. Find and click Bindings under Edit Site on the right navigation bar.

  19. In the open Site Bindings window, click Add.

  20. Toggle Type: and select https from the drop-down options.

  21. Keep 443 as the Port:, and enter your domain in the Hostname: field.

  22. Check and activate Require Server Name Indication.

  23. Select your imported certificate from the SSL Certificate: drop-down list.

    HTTPS Site Binding

  24. Click OK to save changes and close the Site Bindings window.

You have successfully installed your SSL certificate, visit the domain in a web browser to confirm the access is secure. For example, navigate to https://example.com and verify the certificate is correct.

Option 2: Install with Win-acme Client

This method is easier for most users.

Win-Acme is another Let's Encrypt client that is easier to use and installs SSL certificates directly to the IIS certificate store. Download the latest win-acme version from the official website and follow the steps below.

  1. Extract files from the downloaded win-acme zip archive.

  2. Navigate to the extracted folder and open the wacs.exe application.

  3. Click More info in the Windows Defender SmartScreen pop-up window, and Run anyway.

  4. In the open command prompt console, enter N to create a new SSL certificate with default options.

  5. Select your target IIS domain to install the SSL certificate on.

  6. Enter A to use all bindings of the IIS domain.

  7. Enter y' to continue with your selection, y' to open with the default web server application, `y' to agree to the Let's Encrypt terms.

  8. Enter your email address to receive important certificate notifications.

  9. Your SSL Certificate is automatically stored in the IIS certificate store and registered for your domain name.

  10. Visit your domain name to confirm HTTPS access.

     https://example.com

5. Redirect HTTP Requests to HTTPS

  1. Download the IIS URL Rewrite module from the official website.

  2. Open the installer file and install URL Rewrite from the Web Platform Installer.

  3. Re-open the IIS Manager window, click your server, and confirm that the URL Rewrite module is available.

  4. Expand your server and navigate to your target domain name under Sites.

  5. Double click and open URL Rewrite.

  6. Click Add Rules on the right Actions bar.

    IIS URL Rewrite module

  7. Under Inbound Rules, select Blank rule and click OK

  8. Assign your new rule a name. Keep Matches the Pattern, Regular Expressions as the Requested URL: and Using: options.

  9. Enter (.*) in the Pattern: field and uncheck Ignore case.

  10. Expand Conditions, and click Add to set up a new condition.

  11. Enter {HTTPS} In the Condition Input: field, and keep Matches the Pattern unchanged.

  12. Enter ^OFF$ in the Pattern: field.

  13. Click OK to save the new condition.

  14. Scroll down to Action and set the Action Type: to Redirect.

  15. Enter https://{HTTP_HOST}{REQUEST_URI} in the Redirect URL field.

  16. Uncheck Append query string and set the Redirect type to Permanent (301).

  17. Click Apply in the right Actions navigation bar.

  18. Visit your domain name to test the redirection.

     http://example.com

    Your browser should automatically redirect you to the HTTPS version.

    If your redirect does not work in any way, open your domain web files directory and confirm that a web.config file exists. If it's missing, create one using Notepad and add the following configurations.

      <?xml version="1.0" encoding="UTF-8"?>
      <configuration>
         <system.webServer>
            <rewrite>
               <rules>
                   <rule name="HTTP to HTTPS" patternSyntax="ECMAScript" stopProcessing="true">
                       <match url="(.*)" />
                       <conditions>
                           <add input="{HTTPS}" pattern="^OFF$" />
                       </conditions>
                       <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
                   </rule>
              </rules>
            </rewrite>
         </system.webServer>
      </configuration>

    Save the file and test your domain redirection in a web browser.

Next Steps

You have successfully installed a Let's Encrypt SSL Certificate on your Windows Server with the Internet Information Services (IIS) web server. To run various web applications on the server, visit the following articles.