How to apply same SSL cert into backup server

I have successfully apply Let’s Encrypt SSL on our production Windows 2012 R2 x64 server
now I want to apply the same SSL on our backup server Windows 2012 R2x64…so when something happened with the production server the backup server will takeover with the same SSL certificate …

please help


Are you using IIS?
How did you install the production cert?

How does this "takeover" process occur?

yes I use IIS 8,5
I installed the production cert using letsencrypt-win-simple and just followed the instruction …
you can check it on
and we use sucuri as our cloud WAF, I want to activate the backup host…

I'm confused about the Sucuri WAF implementation.
IP Address:

So the IP for your site is actually a cloud system owned and operated by Sucuri.
It sits inline and defends your systems from (bad) public access.

So where does the backup server sit? If it is also in their cloud, then they should have a solution for how to synchronize their certs (you can't be the first to ask for this.)
If the backp server is not in their cloud and is in your business data center. then it may be impractical or impossible to synchronize the exact same cert from their system to your system - as they may not want to release the private key used to generate the cert on their system (and they shouldn't have to).
That's the bad news.
The good news is that you really don't have to synchronize them.
Each system can have a separate copy of an otherwise identical cert.
The trick is getting and renewing your backup server cert - when the IP for the name doesn't point to that server.
And that can be done via DNS authenticated challenges.

You mentioned:

Does that tool allow for DNS authenticated challenges?

The backup server is on our data center, how to get identical cert for my backup server using DNS authenticated challenges?

You find an ACME client that fits your server setup (Windows/Linux/iOS)|(Apache/IIS/Nginx) etc.
And that can also do DNS authentication.
For Windows and IIS - I would recommend looking at a new PowerShell client:

Then get a cert for "" and do not worry about the other cert with same name (in production).
You can have up to 5 certs with identical domain names without creating any problem.

Hi… really new with this… how to run WAT?

It’s a Windows PowerShell script.
Maybe @lbehm can help you get started.

Hy @winanjaya. You would need to know a little bit about PowerShell.
As @rg305 mentioned DNS based verification would be the recommended method.
WAT is only the client software which communicates with the Let'sEncrypt API and handles your Certificates in the Windows Certificate Store.
It doesn't do any magic in the Challenge/Verification process. You would have to provide a script which configures the necessary DNS record. WAT will only provide you the information which DNS record is needed.

If you don't know much about PowerShell, you should really learn it! It is a great help for every Windows administrator.

Hope this helps.

This is really lack of doc!..

I read the that comes with “WAT.ps1” …

I followed the basic instruction…

PS C:\wat-master> .\wat.ps1 -ContactEmail info@primteks

You must provide a value expression on the right-hand side of the ‘-’ operator.

At C:\wat-master\wat.ps1:596 char:26

  •             $t = $t - <<<< shr 8
    • CategoryInfo : ParserError: (:slight_smile: [], ParseException

    • FullyQualifiedErrorId : ExpectedValueExpression

PS C:\wat-master>

Wow, you should really update your system!
You need at least Windows7/Windows 2008R2 Server and PowerShell 4
Check your PowerShell Version by executing:

Microsoft Windows [Version 6.1.7601]

Copyright © 2009 Microsoft Corporation. All rights reserved.


Windows PowerShell

Copyright © 2009 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> get-host

Name : ConsoleHost

Version : 2.0

InstanceId : 61bd7ebb-5fa5-4d72-ad66-72ee1960b3be

UI : System.Management.Automation.Internal.Host.InternalHostUserI


CurrentCulture : en-US

CurrentUICulture : en-US

PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy

IsRunspacePushed : False

Runspace : System.Management.Automation.Runspaces.LocalRunspace

PS C:\Users\Administrator>

My server is Windows 2008 R2 x64


I upgraded to powershell 4.0 J … thanks!..

Now…I am trying to run .\wat.ps1 –Domain

How to DNS challenge?

With the option -ChallengeType dns-01
You should add a Challenge handler script with -onChallenge {} to automate the process.
How you perform the DNS based verification process depends on you and your DNS provider. That’s the point where you have to prove that you control your Domain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.