Let;s Encrypt on Microsoft IIS

How to install a Let’s Encrypt SSL cert on Microsoft IIS

If you’ve ever wondered how to install a Let’s Encrypt certificate on a Microsoft IIS server than this post is just for you.

Let’s Encrypt has always been pretty easy to setup on a Linux box and not so much on the Windows side. Thankfully, there are now nearly a dozen different tools that make adding a Let’s Encrypt SSL certificate to a Microsoft IIS server just as easy.

In this post we’ll be focusing in on, and using the Windows ACME Simple (WACS) solution. Mostly because it’s so easy to use, how easy? Well lets take a look!

Install Let’s Encrypt on Microsoft IIS webserver

  1. Download the latest Windows ACME Simple (WACS) ZIP file from the Github releases page, https://github.com/PKISharp/win-acme/releases.
    At the time of writing this post, it is win-acme.v2.0.3.206.zip
  2. Next extract the zip file to a folder of your choice. In this example I’m placing it in my C:\inetpub\letsencrypt folder.
    extracted letsencrypt
  3. Right click on wacs.exe and select Run as Administrator to start the Windows ACME Simple wizard.
    run wacs as admin
  4. Select N to create a new certificate.
    select N new cert
  5. Next you’ll be prompted for what kind of cert to create. Select 1 for a single binding of an IIS site.
    select 1 single binding
  6. Now select which site binding to configure. Since we only have one site on this IIS server there is only one option. Select 1.
    select site binding
  7. Enter an email address to be used for notifications about any potential issues.
    enter email
  8. Finally, agree to the Terms of service and the Windows ACME Simple program takes care of the rest.
    lets encrypt iis complete

That’s it for installing a Let’s Encrypt SSL cert on IIS.

In the background Windows ACME Simple will configure your IIS site to use the newly received Let’s Encrypt certificate. You can verify this by looking at the site binding details.

view cert

In addition Windows ACME Simple also adds a task to the Windows Task Scheduler which will automatically renew the Let’s Encrypt for you!

task scheduler

How to redirect HTTP to HTTPS in IIS

Now that you have a Let’s Encrypt SSL certificate added to your Microsoft IIS site, you will most likely want to redirect all non-secure (HTTP) traffic to HTTPS.

To do so, you will need to download and install the IIS Rewrite Module from here, https://www.iis.net/downloads/microsoft/url-rewrite.

Once that is completed, just follow the below steps.

  1. Open IIS Manager and select the website on the left and open URL Rewrite.
    http to https rewrite
  2. Click on Add Rule then select Blank rule.
    blank rule
  3. Next give the new rule a name and under Match URL change the Requested URL to “Matches the Pattern” and Using to “Regular Expressions” and for the Pattern type in (.*)
    rule name
  4. Expand the Conditions block and under Logical Grouping change the drop down to Match All and click on Add.
  5. For the Condition input type in {HTTPS} in Add Condition prompt. For Check if input string select Matches the Pattern. For Pattern enter ^OFF$
    add condition
  6. Now expand the Action block and select Redirect for the Action Type. In the Redirect URL enter: https://{HTTP_HOST}/{R:1} and set the Redirect type select Permanent (301)
    action block
  7. Finally, click Apply

I’ve been a big fan and donor of Let’s Encrypt for a long while now. Let’s Encrypt certs are automated, offer short lifetimes (90 days) and are completely FREE! What’s not to like about them?

If you’ve found this post helpful please consider donating to Let’s Encrypt!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

28 Comments

    1. Great concise notes.
      I am struggling to find instructions (searching the web) to apply these certificates to an RDS Broker / Gateway / Host residing on separate boxes.
      Most instructions assume a simple single box setup.
      Any thoughts or directions ?

    1. It’s the second one listed under Windows / IIS titled “win-acme (.NET)” or you can use the direct link I provided in the instructions above.

      -Michael

    1. You most certainly can. In step 5 instead of selection 1 for a single site you will want to select number 3 “SAN cert for all bindings of multiple IIS sites” and then select “S” to generate a wildcard for all available sites.

      -Michael

      1. Awesome thank you very much and hope it has the task for auto renew too? Thank you

    1. Alexandre,

      Windows ACME Simple creates a Windows Task to automatically update the certificate for you. However, if you want to manually renew a certificate you can do that as well. Just re-run the .EXE program and select one of the options as shown in Step 4 (R,S,A).

      -Michael

      1. What is the proper procedure to remove a certificate? Using the Revoke option of wacs? I want to change the primary name of the website. Or could I just install a new certificate and then choose the preferred primary name?

  1. Quick question if you have a redicet for http to https. will that not also cover the acme verification as well.

  2. Thanks Mike, great article. Got cert installation sorted for 2 domains in less than 30 minutes for free using LetsEncrypt!