How To Create or Renew WildCard SSL Certificate Using Certbot in IIS Server

Prerequisite:
Windows Server with IIS installed
Certbot installed
OpenSSL installed

Once you have all the required applications installed, we can start the SSL certificate creation/renewal process.

Step 1:
Open a command prompt or PowerShell console. Then use the certbot command below and change “<your-domain>” to your domain name that you want to create/renew SSL certificate.

certbot certonly — manual — manual-public-ip-logging-ok — preferred-challenges dns-01 — server https://acme-v02.api.letsencrypt.org/directory -d “*.<your-domain>” -d <your-domain>

Step 2:
After entering the certbot command above, it will prompt you to deploy a DNS TXT record for your domain. You have to do this using your DNS service provider that you used, for example, Cloudflare. So you’ll have to create a TXT record with name “_acme-challenge” and set the content as the value shown in the console. Once done setting DNS TXT record, press Enter to continue.

Deploy DNS TXT record prompt in console

Sample DNS TXT record in Cloudflare

Step 3:
Repeat Step 2 for a second verification. But make sure you do not remove the first DNS TXT record.

Deploy DNS TXT record second prompt in console

Once you have done step 3, you have successfully create or renew your wildcard domain SSL certificate.

But in order to use the certificate in the IIS server, you’ll need to convert the certificate generated by Certbot into a “.pfx” file using OpenSSL.

Step 4:
Now go ahead and use the command below to generate the pfx file.

openssl pkcs12 -inkey “C:\privkey.pem” -in “C:\cert.pem” -export -out “C:\certificate.pfx”

Change the file path of “privkey.pem”, “cert.pem” according to your Certbot file path. For example, if your Certbot is installed in drive C:, the file path should be C:\Certbot\live\[your-domain-name]\

-export -out “C:\certificate.pfx”

This is the file path that your generated pfx file will be located at.

When you enter the OpenSSL command, you will be prompted to enter “Export Password”. This is a password that you will need to use to import into IIS. You may set any password you want.

Password prompt for OpenSSL command

Step 5:
Go to your IIS manager and select “Server Certificates”

IIS Manager — Server Certificates

Step 6:
Then select “Import” in the Actions bar located in the right side column.

Import action inside Server Certificates

Step 7:
Select your pfx file generated using OpenSSL in the “Certificate file” field and key in the password you have set in Step 4. For “Certificate Store”, choose either personal or web hosting will do. To know more about the difference between the two certificate store, check out the stackoverflow post here.

After importing the certificates, just head over to the application site in IIS to edit the bindings and you’ll have a secure site served over https!

Thank you for reading!

#certbot #letsencrypt #wildcard #domain #ssl #certificate #iis #windows #server #openssl