Using LetsEncrypt with IIS via WinAcme

Finally, the web is really moving to using HTTPS (thank you Google/Chrome!) This change is long overdue, and it will be good to finally be able to eliminate the vulnerability of HTTP.

But“, cry some customers, “I don’t wanna pay for certificates!“.

Bought TLS certificates, well, cost money, and often non-technical customers don’t see any value in them. All they see is cost. If only there were a free alternative.

Good news! LetsEncrypt freely offer free DV certificates for free. That is, in fact, their raison d’être. Bad news – they only last 90 days. Bugger. Our support team won’t dreadfully want to have to renew lots of certs every 90 days. If only this could be automated… Wait, it can be!

One of my colleagues mentioned using WinAcme to get/renew certificates with LetsEncrypt, so I thought I’d give it a go. How hard can it be? Continue reading “Using LetsEncrypt with IIS via WinAcme”

Advertisements
Using LetsEncrypt with IIS via WinAcme

Create a self-signed certificate for development

This is a bit of an aide-memoire, based on https://blogs.msdn.microsoft.com/benjaminperkins/2017/11/15/how-to-create-a-self-signed-san-certificate-wildcard-certificate-vs-san/

The short form is, you can do this in PowerShell:

  • Open Powershell, running as administrator.
  • Run:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "example.local" -FriendlyName "example.local" -NotAfter $([datetime]::now.AddYears(5))

  • Go to “Manager Computer Certificate” or run CERTMGR. You should see your certificate

Next, we want to trust this certificate. We’ll need to export it.

  • To export the certificate file you just created as a .PFX file, right click on the certificate, All Tasks -> Export…
  • When the Export menu item is selected, an export wizard is run. On the first window read through the information and click the next button.
  • In the next window, select the radio button “Yes, export the private key” and then click the next button.
  • Select Export Extended Properties, and click next
  • Set a password for the .PFX file you want to create#
  • Choose a path and export the .pfx file

Now import it into the “Trusted Root Certification Authorities” that you can see in Certificate Manager

  • Expand Trusted Root Certification Authorities –> right-click Certificates –> All Tasks –> Import.
  • Select the file you just exported. Note that you may need to change the file type to Personal Information Exchange.
  • Click Next, Fill in your file’s password, and complete the import.

That should be it completed.

Edit:

An alternative to export the cert:

Copy the Thumbprint of the cert in your Powershell window.

$pwd = ConvertTo-SecureString -String "" -Face -AsPlainText
Export-PfxCertificate -cert cert:\localMachine\my\#Thumbprint# -FilePath #FilePath# -Password $pwd

Create a self-signed certificate for development

Configuring SSL/TLs made easy

I’ll admit, I find the configuration of SSL and TLS something of a mystery – I like to leave that stuff to the admin guys and get on with the coding. It’s something of a black art, and there seem to be so many obscurely named vulnerabilities that it’s a bit difficult to handle without being a specialist. (Heartbleed? Bar Mitzvah? Lucky 13? Poodle? I mean, seriously, POODLE?)

However, I was recently given a PowerShell script and told to ‘fix these servers’ – and it was very easy. Continue reading “Configuring SSL/TLs made easy”

Configuring SSL/TLs made easy

Enable SSL for sending emails on Sitecore

I was asked to use a GMail server to send emails from Sitecore with. This is actually a pretty reasonable request – but GMail only supports connections over TLS or SSL. Configuring Web Forms for Marketers to use this was proving … interesting, until I found this excellent article by Mark CassidyContinue reading “Enable SSL for sending emails on Sitecore”

Enable SSL for sending emails on Sitecore