edvaldo b. guimarães filho

Using Let’s Encrypt SSL Certificates on Both Apache and IIS Servers

Using Let’s Encrypt SSL Certificates on Both Apache and IIS Servers

Introduction: Why SSL is Important

SSL (Secure Sockets Layer) is essential for securing communications between web servers and clients. It encrypts the data being exchanged, ensuring that sensitive information such as passwords, credit card numbers, and personal details are protected from hackers. In today’s digital landscape, SSL certificates are more than just a security measure; they also enhance your site’s credibility, improving SEO rankings and gaining user trust.

Let’s Encrypt is a popular choice for generating SSL certificates. It offers free, automated, and open certificates that can be used on different web servers, including Apache and IIS. Sometimes, you may need to use the same certificate for multiple servers, like migrating an SSL certificate generated for Apache to IIS. This guide walks you through how to do that.

Why Use the Same Certificate for Apache and IIS?

Both Apache and IIS (Internet Information Services) are widely used web servers, but they manage SSL certificates differently. If you’re running both types of servers and need a single SSL certificate to secure multiple services, Let’s Encrypt certificates are versatile and can be easily transferred between platforms. This article explains how to use the same SSL certificate on both Apache and IIS, saving time and ensuring a unified security approach across all servers.

Step-by-Step Guide: Using Let’s Encrypt Certificate for Both Apache and IIS

Step 1: Locating Your SSL Certificate on Apache

When you install and use Certbot with Let’s Encrypt to generate SSL certificates for an Apache server, the certificate files are usually located in the following directory on your Linux server:

  • Certificate file: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
  • Private key: /etc/letsencrypt/live/yourdomain.com/privkey.pem

These files will need to be converted and transferred to the Windows server running IIS.

Step 2: Converting PEM Files to PFX for IIS

IIS does not use the .pem file format that Apache uses. Instead, it uses .pfx files, which bundle the certificate and private key in a format that IIS can import. To convert the .pem files from Let’s Encrypt to .pfx, follow these steps using OpenSSL:

  1. If you don’t have OpenSSL installed, install it on your Linux machine by running:
   sudo apt install openssl
  1. Use the following command to convert the .pem certificate and key files to a .pfx file:
   openssl pkcs12 -export -out yourdomain.pfx -inkey /etc/letsencrypt/live/yourdomain.com/privkey.pem -in /etc/letsencrypt/live/yourdomain.com/fullchain.pem -certfile /etc/letsencrypt/live/yourdomain.com/chain.pem

This command will:

  • -inkey: Specify the private key file.
  • -in: Point to the fullchain certificate.
  • -certfile: Add any intermediate certificates.
  1. You will be prompted to create a password for the .pfx file, which will be required later to import the certificate into IIS.

Step 3: Transferring the PFX File to the Windows Server

Once the .pfx file is created, transfer it to your Windows server. You can use SCP, FTP, or any other method to move files between servers.

Step 4: Importing the SSL Certificate into IIS

Now that the certificate has been transferred to your Windows server, you need to import it into IIS. Follow these steps:

  1. Open IIS Manager on your Windows server.
  2. In the left-hand pane, click on the server’s name, and then open Server Certificates by double-clicking it in the middle pane.
  3. In the Actions pane on the right, click on Import.
  4. In the Import Certificate dialog:
  • Select the .pfx file you transferred earlier.
  • Enter the password you created when exporting the .pfx.
  • Optionally, check the Allow this certificate to be exported if you want the option to export it again in the future.
  1. Click OK. Your Let’s Encrypt SSL certificate is now imported into IIS.

Step 5: Binding the SSL Certificate to an IIS Website

After importing the certificate, you need to bind it to a specific IIS website to secure it with HTTPS:

  1. In IIS Manager, navigate to Sites in the left-hand pane, and click on the website you want to secure.
  2. In the right-hand Actions pane, click on Bindings.
  3. In the Site Bindings window, click Add to create a new binding.
  4. In the Add Site Binding window:
  • Set Type to https.
  • Choose your desired IP address or leave it as All Unassigned.
  • Set Port to 443 (the standard HTTPS port).
  • From the SSL certificate dropdown, select the certificate you imported.
  1. Click OK and close the bindings window.

Step 6: Testing the SSL Configuration

After binding the SSL certificate, open a web browser and navigate to your IIS website using https://. You should see the padlock icon, confirming the site is secured.

Why Using Let’s Encrypt with DNS-01 Challenge is Better for Intranet (and Local Sites)

For internal networks (intranet) or websites that are not accessible from the internet, using Let’s Encrypt with the DNS-01 Challenge is a better option. Here’s why:

  • Public-facing servers use HTTP-01: By default, Certbot uses the HTTP-01 challenge to verify domain ownership. This requires your server to be publicly accessible so that Let’s Encrypt can verify ownership by making an HTTP request.
  • DNS-01 Challenge for internal services: For private servers (like intranet sites), the DNS-01 challenge allows Let’s Encrypt to validate your domain ownership by checking a DNS record, rather than an HTTP request. This means you don’t need your internal web server to be publicly available. It’s especially useful for sites that are only accessible within a company network.

Here’s a summary of the advantages of using the DNS-01 challenge for internal sites:

  • No need to expose your server to the internet.
  • Works well for domains used in both internal and public scenarios.
  • Simplifies management of SSL for internal apps, portals, and services.

How to Use Let’s Encrypt with the DNS-01 Challenge:

  1. Install Certbot as usual on your Linux server.
  2. When creating the SSL certificate, use the DNS-01 challenge:
   sudo certbot certonly --manual --preferred-challenges dns -d yourdomain.com
  1. Certbot will prompt you to add a specific DNS TXT record. Go to your DNS provider and add the requested TXT record.
  2. Once the DNS record is propagated, Certbot will verify it and issue your certificate.
  3. Now, you can use the same process outlined above to convert the certificate for use on IIS.

Conclusion

By using Let’s Encrypt, you can secure both Apache and IIS web servers with a single SSL certificate. For intranet or local sites, the DNS-01 challenge is an ideal method to maintain security without exposing your servers to the public internet. With the right setup and regular renewals, Let’s Encrypt offers a cost-effective, robust solution for keeping your web traffic encrypted and secure.

Edvaldo Guimrães Filho Avatar

Published by

Edvaldo Guimrães Filho
With over 30 years of professional experience as a System and Business Analyst, Project Manager, and Technical Marketing and Sales Support Leader, including 20 years specializing in SharePoint and 5 years in Business AI Transformation, I have worked across various industries and markets. I have had the privilege of collaborating with top 500 Brazilian companies such as DASA, Siemens, Telefónica, Heineken, K2, Comgas/Raízen/Shell, Cognizant, Coty, Hypermarcas, Banco Itaú, Cobrape, Natura, Stefanini, Braskem, Nestlé, Avanade, TIM, Infoserver, SysMap, Vivo, Apsen, Siemens, EDS, Duracell, KPMG, Petrobras, CESP, TV Record, Método Engenharia, and MSD (Merck Sharp & Dohme). Today, I manage, project, and develop solutions and integrations using the following technological platforms: SharePoint, Microsoft 365, Power Platform, Power BI, C#, SQL, Python, JavaScript, React, IoT, C/C++, CAD, and 3D Printing.
Categories: ,
Tags: ,

Leave a comment