I have been able to manually generate certificates and have them installed and working but I had to generate one for the main domain (boxstorm.com) and one for (app.boxstorm.com) and then configure them as separate server blocks in the nginx.conf file, each server with its own certificate/key entries. What I’d really like is to create a SAN cert so that we can just use one certificate. Is that doable on Windows or with the client listed below? Or is there some step after the .cer and .pfx file creation that I can used to combine certificates together in the a SAN certificate? Thanks!
I ran this command: We used one of the Windows clients listed on letsencrypt’s site (https://github.com/oocx/acme.net) – just downloaded the acme.exe and used that to generate the certs.
It produced this output: The client generate two different “challenge” files, which I copied onto our webserver, in the correct “.well-known…” location. The challenge completed successfully and two .cer files and two .pfx files were generated. After the .pfx was generated I used openssl to extract the .pem and .key file–these were the files used in the nginx.conf to configure https.
My operating system is (include version): Windows server 2012, .NET framework v 4.6
My web server is (include version): nginx 1.4.7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Combining the certificates after the fact is not possible. The certificates are digitally signed, and changing them in any way would invalidate that signature.
We’ve already published a video about the first client (you can check it out here ), and you can use the client to request a SAN certs as well. The client is easy to use, but when creating SAN certs, you need to use manual mode and installing the certificate is a bit tricky. Step 3 in the video will demonstrate this process.
Personally, I prefer the ACME POSH module when requesting and installing multiple domain (SAN)
certificates; as a matter of fact, it is based as well on the ACME Sharp library written by Eugene Becker - the author of ACME Sharp POSH. It allows to fully automate the process, and we demonstrate this on Exchange 2016 (the screencast is in post production).
Bottom line is, if you need an easy way to install Let’s Encrypt single domain certs on windows, use Letsencrypt-win-simple. If you need multiple domain certs, use the ACME Sharp PowerShell module.