· 7 min read
Setup HTTPS with SSL/TLS certificates in IIS using WinAcme
A Follow-up article to my previous article on Hosting websites using IIS, and here we'll setup HTTPS for the website using WinAcme.
Introduction
This is a follow-up article to my previous article on Hosting websites using IIS. In that article, I explained how to host a website using IIS using HTTP. In practice, you’ll mostly need to host your website using HTTPS. To setup HTTPS in your website, you’ll need to generate a SSL/TLS certificate for your site and link it to your website.
NOTE: You need a domain name to generate a SSL/TLS certificate. This article is intended to enable HTTPS for already hosted HTTP website with a domain name. Hence, you must have a domain name to follow this article.
What is WinAcme?
As said earlier, to setup HTTPS, you need to have SSL/TLS certificate provided by a trusted certificate authority (CA). While there are many CAs available, I prefer to use (Let’s Encrypt). Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. They actually provide free SSL/TLS certificates for websites. It uses a protocol called ACME to ease the domain verification, certificate generation and renewal process. While Let’s Encrypt recommends using Certbot to generate SSL/TLS certificates, it doesn’t come with out-of-box integration with IIS.
This is where I found a really great alternative in WinAcme. WinAcme is actually a simple open-source ACMEv2 client for Windows (for use with Let’s Encrypt et al.) that can handle multiple certificates at once. It is a simple command line tool that can be used to generate, install and renew SSL certificates. I found it really easy to use and get things done.
Installing WinAcme
WinAcme can be downloaded from here. It is a portable tool, which means you don’t have an installer. You can just download it and run it straight away. Since you continuously need to have the tool in you server to renew the certificates, I recommend you to download it to a safe folder like C:\Program Files\win-acme.
TIP: If you are experienced enough, you can optionally add the folder to your
PATHenvironment variable so that you can invoke the tool from anywhere in the command line.
Generating a certificate
First, ensure that you have your website running in IIS. If you don’t have one, you can follow my previous article on Hosting websites using IIS to create one. After this, ensure that your website has a host name and you have a DNS record with this host name pointing to your server’s IP address in your Domain DNS provider.
For this article, I am going to setup HTTPS for one of my HTTP-only website, library-management-html.sathiyaraman-m.com. In my case, I have already have host name for this site as library-management-html.sathiyaraman-m.com. I have also created a DNS record for the host name pointing to my server’s IP address in my Domain DNS Provider. You can see the website in IIS like this:
So, now I want to generate a certificate for the host name library-management-html.sathiyaraman-m.com. To generate a certificate, you need to run the wacs.exe file. Open the wacs.exe file with administrator privileges. You’ll see a command line interface like this:
To create a certificate, you need to select the option N for Create certificate (Default Settings) to create a certificate with default settings. Then you’ll be asked to select the site for which you want to generate the certificate. You can select the site by entering the number corresponding to the site and pressing Enter.
Then you’ll be asked to select the binding of the site for which you want to generate the certificate. You can select the binding by entering the number corresponding to the binding and pressing Enter. You can also select multiple bindings by entering the numbers separated by comma or enter A to select all bindings. In my case, even though I have only one binding, I selected all bindings by entering A.
Then press y to confirm the selection and wait for the certificate to be generated.
Congratulations, you have now setup HTTPS with an SSL/TLS certificate for your website. This process automatically creates a new binding for your website with HTTPS linked to the newly-generated certificate. Let’s now check the bindings in IIS Manager.
Now, if you open your website in browser, you’ll see that your website is now running in HTTPS.
Renewing a certificate
After generating the certificate, WinAcme not only creates a new HTTPS binding but also creates a scheduled task to renew the certificate. This scheduled task runs automatically whenever the certificate is about to expire. You can also manually run the scheduled task to renew the certificate in wacs.exe. For the current certificate, the scheduled task is set to run on 2021-08-31 as you can see in the below screenshot.
WinAcme and Certbot
Although WinAcme is not the officially recommended tool by Let’s Encrypt, I prefer it more than Certbot (the officially recommended tool) because Certbot generates the certificate as a .pem file which is not directly supported by IIS. It additionally requires another tool, OpenSSL, to convert the .pem file to .pfx file which is supported by IIS and then manually import the certificate to IIS. WinAcme on the other hand automates all these steps and additionally manages the renewal of the certificate. It is also open-source and is actively maintained by the community, so it can be regarded as a safe and reliable tool.
Conclusion
In this article, we saw how to setup HTTPS for your website using WinAcme. We generated a SSL/TLS certificate for our website and setup a new HTTPS binding, along with a scheduled task for automatic renewal of the certificate. I hope you found this article useful. Thanks for reading.
