Certbot and Windows IIS

I have read the Windows documentation and I am a little confused on one point. I understand that Certbot cannot install the certificate into IIS running on Windows Server 2019 but I am a little confused as to if this also means it cannot install the renewal cert as well or just the initial cert. Does Certbot renew the cert and I have to import that into IIS or is renewal completely different to installing the cert into IIS and once the first cert is in IIS I can set and forget?

My guess is that it cannot do both and that I am better off looking at a different ACME programme unless I want to manual import the cert into IIS ever 60 to 90 days.

2 Likes

There are a number of tools which are optimised for windows and IIS:

  • https://certifytheweb.com (GUI, obviously the best because I developed it!).
  • Win-Acme (command line tool)
  • Posh-ACME (powershell script)

The process with Certify is:

  • Check you first have a specific hostname (domain) binding on your website in IIS (like an http or https bindings for www.domain.com). This makes everything else easy and you should setup as many as you need, usually domain.com and www.domain.com.
  • Open Certify, Click New Certificate, select your IIS site from the dropdown, click Preview and see if it all makes sense, then click Test, if that passes OK, click Request Certificate.

It should then validate your domain using http, fetch your new certificate, then apply it to your IIS based on your existing bindings. Renewals are automatic.

You can instead use Certbot but you need your own script to automatically convert the certificate components into a PFX then store it in the certificate store and update your IIS bindings.

1 Like

Hi @BWMerlin, and welcome to the LE community forum :slight_smile:

Yes; If you want a simple completely automated process, try a more robust Windows client.

2 Likes

Thank you @webprofusion and @rg305 for your replies. I went with win-acme and things appear to be working correctly.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.