Let's Encrypt on Non Internet Facing Internal Windows Servers

Our public site is using Let’s Encrypt for it’s web pages. I have a number of internal servers that need certificates on them. We are a Windows shop so I have several Windows servers that need certs and I have a bunch of DVR’s and other appliances that I would like to put a certificate on. I don’t know what operating system they run. I can create a certificate request but where do I go from there?

My domain is: caldwell.edu

My operating system is (include version): Windows 2008, 2012 & 2016

My web server is (include version): The versions of IIS that go with the different versions of Windows.

I can login to a root shell on my machine (yes or no, or I don’t know): I have Admin rights to all the machines

Thanks for your help.

Hi @lbd,

Are those machines publicly visible on the Internet? This is a requirement for some of the methods of obtaining certificates from Let's Encrypt. (Having the machines' names publicly visible on the Internet is a requirement for all the methods; for example, if they're something like printserver.internal as opposed to printserver.caldwell.edu, you can't get a Let's Encrypt certificate for them.)

If you look in the "Windows" section at

you'll find a list of the client applications that can run on Windows. You could potentially run these directly on your servers and obtain certificates that way.

If the servers have publicly-visible IIS web servers running, you could also use a web-based client like https://www.zerossl.com/, which walks you through the steps in your browser (instead of installing any software onto the servers themselves). At the end of the process you might have to convert the certificates you obtain from PEM to PFX format in order to import them on Windows, for which there are a number of recipes available online.

If you have a large number of different web servers you might want to consider the rate limits:

This might prevent you from obtaining a lot of separate certificates, especially if anybody else at your university is also using Let's Encrypt without coordinating with you. However, universities can commonly get an exemption from the rate limits if a responsible party requests it.

I don’t think any of the internal servers that I’m after certificates for are public facing. So that is going to mean looking for someplace else I can get certificates.

Thanks for your answer.

ZeroSSL supports the DNS challenge too, so you don’t actually need a publicly-visible IIS server to use it :slight_smile:

hi @lbd

Most public CA’s will require you to prove ownership of a domain

The challenge is two fold - what is the internal naming structure you are using for your domain (is it for example caldwell.edu or caldwell.local)

If it’s a non FQDN (from the internets point of view) then you are going to have to use self signed certificates


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.