Automated Windows Cert Import

We have our Let's Encrypt cert automatic renewal scheduled for our Linux servers. The same cert is has been installed on our Windows servers and gets renewed by importing manually. We'd like to use a certbot scheduled task, or similar, to renew these certs once they get delivered from Let's Encrypt.

Is there already a utility for this?

If you're looking for full integration, I don't think certbot has all the features you're looking for on Windows yet. You probably want one of the other clients listed under "Windows / IIS":

I know Certify the Web, Posh-ACME, and win-acme are fairly popular, but I haven't used any of them myself.

1 Like

If I read your question correctly, you want to continue procuring certificates on Linux and then automate deploying the Linux-obtained certificates onto Windows.

I don't believe there are any utilities that handle deployment like this.

There are many techniques and tools to facilitate this:

  1. Some servers (caddy, etc) enable automatic SSL certificate generation and can be configured to store certificates in the cloud or locally. Your windows server would simply be a consumer from the cloud or local files.

  2. Some people store certificates onto directories that can be shared via NFS or another protocol. One machine procures certs and writes to the directory, other machines read from it. A crontab or other tool is used on the "readers" to re-read the files on a regular basis. Some people will also use a crontab to "pull" any certificates from a source on a regular basis. Some people will also store certificates on a system that can provide them to clients via an api, and have the "reader" machines sync on a regular basis.

  3. Some people write hooks for certbot renew --post-hook, which will then use ssh, rsync, or other tools to "push" the certificate onto the destination.

There are other techniques as well, those are just the ones I immediately thought of.


Yes, just convert your certificate to pfx (a PKCS#12 store) then copy it to a share on the windows server (or one the windows box can see), then use Centralised Certificate Store to automatically pick it up.

1 Like

Or created a windows scheduled task which , if it finds the cert in a specific share, picks up the cert and installs it. You would then need to update any service bindings (IIS) based on the new certificate thumbprint.

I'm guessing this is a wildcard, which is why it's relevant to more than one server/service. You could alternatively just have this server fetch it's own cert.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.