Wildcard-capable client recommendation for Windows


#1

HI I’m here with similar question! I want to use a wildcard cert for all of my internal web interfaces to use HTTPS. (ex. UPS, SWITCHES, misc softwares, etc)

Certificates make my head hurt and i have no idea how to use letsencrypt.org to create auto-renewing certs utilizing a windows server 2012 R2.

anywhere I can find a step by step to understand how to do this? im not very linux savvy either, so the certbot stuff makes my head spin.

any advice is greatly appreciated


Wildcard cert with internal-only subdomain
#2

I’ve split this into a new topic because currently people are likely to regard the “Windows” part of your question as extremely important.

Currently Windows server users should probably not use Certbot—it was designed for Unix and we’re not quite to the point of having completed a Windows port or finished accepting other people’s work in this direction. As you can imagine, you wouldn’t have the package managers or files that Certbot documentation assumes that you have from Unix environments.

You need to use a Let’s Encrypt client application in order to obtain certificates from Let’s Encrypt. A list of all of the known ones is at

As you can see, most of them are aimed at Unix environments but there are currently nine aimed at Windows+IIS. Since I’m a Certbot developer and Linux user, I don’t have experience with these applications or a recommendation for you, but hopefully someone else will notice this thread and offer you a suggestion.

One thing that’s important to understand is that by Let’s Encrypt policy, wildcard certificates can only be obtained using the DNS-01 validation method. This means that you have to prove your control over the domain for which you want a wildcard by creating a DNS TXT record in your DNS zone. In order to automate this, you normally need an API from your DNS provider that lets you create DNS records from software. This API would also need to be compatible with your client application. If you don’t have this feature and this compatibility, you’ll probably have a bad experience with Let’s Encrypt because you’ll need to change your DNS records manually—and you’ll need to do so often because Let’s Encrypt certificates are only valid for 90 days.

Also,

you’ll probably want to think about how you can script or automate the certificate deployment, since the 90-day expiration also means that you probably won’t want to have to copy the new certificates onto all of these devices and environments by hand. This might entail something like writing a PowerShell script that deploys the new certificate to the relevant places, and telling your Let’s Encrypt application to run that script whenever the certificate is renewed.

I hope that’s helpful; sorry for the lack of a more specific recommendation!


#3

(It looks like the other user was possibly also looking for a Windows solution but that wasn’t very clear in the other thread, and the other user seemed somewhat satisfied with the existing discussion there… so I think it may still be useful to have a thread that really calls out that you particularly want a Windows Server-oriented recommendation.)


#4

Ironically, the hard part about this request is not actually getting the cert. It’s likely going to be much harder for you to actually import that cert to the various endpoints you listed. Hardware appliances like UPSes, switches, etc. are all going to have vastly different mechanisms for uploading and enabling a certificate. So you’re going to have to do a lot of custom scripting in order to automate all of that unless you were planning on uploading a new cert to all those things by hand every 60-90 days.

If certificates already make your head hurt and you’re not very Linux savvy, you might be better off paying for a cert from a CA that can give a longer duration.


#5

If this is internal-only, you might want to look up using your own certificate authority and importing the root certificate from that as a trusted root on your computers. That way you can make much longer-duration certificates for free, at the expense of a little more up front work. There are a lot of tutorials online regarding how to do this.


#6

We have a CA but I’ve just never found a cut and dry explanation of how to do this.

I’m great at a lot of aspects of IT, but certificates is one that has slipped through the cracks :-/


#7

Yeah, especially if you have a Windows Server CA, I get it. It’s like they made that deliberately convoluted, but it integrates with the rest of a domain so they’re still in common use. :man_shrugging:

This is a pretty good guide of doing it all command-line with openssl. There are other pieces of software out there that can handle it for you, but I haven’t used any so I don’t really have a recommendation on that.

Note: That guide skips over the bit where it should tell you to create your CSR with subject alternative names. Just Google for that part and you’ll be fine. Chrome will be mad if you don’t do this.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.