I’m trying to understand how this approach to certificate management works, then I can dive into the technobabble. I want to make sure I got the high-level logic down.
I run more than one internal certificate authority using MS Certificate Server and have set up UCC / SAN certs with these for Exchange and Lync, plus I’ve created CAs in OpenSSL for experimenting, so I have a basic handle on cert management.
The impression I’m getting with Let’s Encrypt is, rather than create cert requests in the server and submit them to an online CA, you have a separate client application that does that for you. The client and some verification steps (the ACME protocol), including a new optional DNS record, can help automate the identity verification process. Also, the certificate lifespan is dramatically shorter than with commercial CAs (three months) and as such renewals would need to be automated. Certbot is to be used for this normally, though there are ACME clients for other systems.
It took some FAQ and forum reading to get to this level of understanding… do I have the basic idea correct?
I’ll look at ACMESharp and letsencrypt-win-simple later on; I already know Certbot doesn’t have a Win32 implementation.
[This was from the forum template]
My operating system is (include version): Windows Server 2012 R2 patched as of JAN 2017
My web server is (include version): IIS 8.5
I can login to a root shell on my machine (yes or no, or I don’t know): Yes (local admin, cmd and powershell)