When you publish your website, you are always a bit concerned about its security of it. From a security point of view, an SSL certificate plays a major role to authenticate the identity of the website. SSL stands for Secure Socket Layer, which creates a secure tunnel between the web server and the client browser to keep online transactions private. In another way, it prevents hackers from reading or modifying information transferred between two systems. It is always recommended to check the padlock next to the website you are visiting. If it exists means visiting the website is secure to connect.

I wrote another article on SSL certificates. This article describes how to get a free SSL certificate by using Window Server CA. You can use this for internal communication in a lower environment. 

SSL certificates can be used in various places like email communication, web-based applications, Server to Server communication, DB Encryption, etc.

SSL certificate falls into three major categories: Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV).

Domain Validation SSL Certificate is useful for the individual party who owns the domain name. You do not need to have a business to get this certificate. It will be assigned quickly.

Organization Validation SSL Certificate is designed for an organization that has a legally registered business. It takes one to three days to receive.

Extended Validation SSL Certificate comes with the highest level of trust. This type of certificate is easy to identify as it shows a green bar next to the domain name in the browser. It takes 1 to 5 days to receive.

Once you have an SSL certificate, the next step is to identify the number of different domains or sub-domains you are going to secure with this certificate. You can go with multi-domain SSL (also called SAN SSL), which covers multiple domains, including sub-domains of a single domain name. It also supports different domain names. Another option is with you to get a wildcard SSL certificate that supports a single domain, and all subdomains come under the main domain.  

Today we are going to see how to install an SSL certificate free of cost without paying any money. To enable HTTPS connection for the website, you need a certificate from Certificate Authority (CA).

Let’s Encrypt is an open-source CA that uses the ACME (Automatic Certificate Management Environment) protocol and provides free TLS/SSL certificates to any compatible client. It is standard protocol for interacting with the service to retrieve and renew certificates automatically. The official ACME client is called Certbot, though many alternative clients exist.

ISRG (Internet Security Research Group) developed the CA project for financial, technological, and educational barriers to secure the connection over the Internet. These certificates are applicable to websites. It does Certificate lifecycle management. Let’s understand key features first.

Key Features

• Domain name owners can obtain a trusted certificate free of cost
• Certificates are domain based, so no IP is required
• Does not store a private key
• The agent running on a web server can interact with Let’s Encrypt CA to obtain a certificate and configure it
• Let’s Encrypt will serve as a platform for advancing TLS security best practices
• All certificates issued or revoked will be publicly recorded and available for anyone to inspect
• Comes with 90 days validity which gets auto-renewal, so can extend for a longer time
• The automatic issuance and renewal protocol is published as an open standard that others can adopt
• Support major operating systems and web applications
• Trusted by all key internet browsers
• Domain-based, so no IP address is required
• Free of cost
• Extend to multiple domains with multi-domain or wildcard options

Steps To Get an SSL Certificate for Any Domain

There are two steps to this process.

Step 1: The installed Certificate management agent (CertBot) in the web server generates key pair and informs the Let’s Encrypt CA that the web server controls a domain and asks what needs to prove it.  CA check the requested domain and send one or more set of challenges to Agent. Also, send nonce (arbitrary number) to an agent, which is required to prove the key pair is controlled by the agent only. Agent completes the set of challenges and signs provided nonce with key pair. CA check if challenges are answered correctly and verify the signature on the nonce. If it is done successfully, the agent gets ready to do certification management.

Step 2: The agent creates CSR (Certificate Signing Request) to get a public key from CA for a specified domain. It includes a private key signature corresponding to the public key. Once the request reaches CA, it verifies both signatures and issues Certificates for a domain.

Demo: Installing SSL Certificate on IIS Webserver

Step 1: Set up Windows Server with public IP. Allow incoming port 443 for all networks. For outbound, open ports 80 and 443. Make sure you have admin/root permission.

Step 2: Install the IIS role through GUI or the command line mentioned below. Check website is up with a private or public IP address. By default, the default website is available.

#Install-Windows Feature -Name Web-Server -IncludeManagementTools

Step 3: Take the public domain and add DNS A record on the domain hosting server. This record will resolve the domain name to the IP address. 

Step 4: You need to do domain binding, as shown below. You can do domain binding with HTTP or HTTPS as well. In the case of HTTPS, you have to use a dummy certificate initially. I have used HTTP to show you 

Step 5: Go to this site and download the latest agent. It is a zipped file. Copy it into a separate folder. You have to unzip it and run the wacs.exe application to start the agent. It automatically connects to the CA server. Once the connection is established, it will ask to create the certificate. 

Step 6: Type N to start the certificate creation process. It will detect the default website and binding. In my case, there is one binding; hence I selected all binding. You also have the option to choose particular binding from the list if there is more than one binding.  

Step 7: Type yes at two stages to proceed. Provide email id for email notification in case of any abuse or problem. Certificate generation and assignment will begin.

Step 8: Browse the website again. You will see an SSL padlock next to your site. if you click on it, you will get certificate details. This Certificate is stored in the Certificate Manager –> Website hosting folder 

While installing the certificate, the agent also creates the scheduled task to renew the certificate periodically. It also gives you multiple options to manage secrets, recreate scheduled tasks, test emails, check for updates, and import scheduled renewals.

If you want to generate multiple certificates for your org, it is the better option to have a single Windows server having ACMEv2 Agent installed. From there, you can generate a certificate for a single domain or wildcard domain by taking DNS based challenge.

Generating Wildcard Certificate

1. Login into the system where the agent is installed. Start the agent.
2. Select the M option to generate a certificate with the manual process.
3. The next option is to choose manual Input from four available options.
4. Provide the host domain details. In my case, it is *.sagarcloud.tk
5. The next step is to put a friendly name in. I used the same DNS name mentioned above.
6. You will have two methods, sending either an HTTP request or a DNS request for the ACME server to verify you are the owner of the domain. If you have a single certificate, then you can go with anyone. This is not the case with a wildcard certificate. Only the DNS request-based validation option is available. I selected the 6th option from the below list.

7. After the ownership of the domain(s) validation, Certificate Signing Request (CSR) will be created to obtain the actual certificate. The CSR determines the properties of the certificate. If you are not sure what key to select, choose RSA as default.

8. You can store certificates in one or more ways to make them accessible to your applications. You can choose the Windows Certificate Store as the default location for IIS.

9. Choose Webhosting as the store to keep the certificate after the generation.

10. If you do not want to store it in any other place than Windows Certificate Store, you can skip further steps for the same.

11. DNS validation will start and provide a TXT record. You need to add this record to the domain hosting server to prove your ownership. Add value to the record without a double quote.

12. After adding the record, you need to wait for 15-20 min to replicate the changes.

13. Hit Enter to verify the record. If successful, Preliminary validation will succeed

14. You can delete the TXT record. After deleting, you can Enter to start certification generation

15. Certificate will create and store in the certificate manager of the local machine in the web hosting folder.

16. You can bind this certificate with your domain, considering you have created a subdomain and a record on your DNS server.

17. In my case, it is shop.sagarcloud.tk.

18. Now, you can access the website over the internet with a wildcard certificate. You can click on the lock icon on the browser to view the certificate.

The provided SSL certificate by Let’s Encrypt CA comes with some limitations.

Limitations

• Only support DO, no support for EV and OV
• Community-based support
• No GUI, only CLI-based operation
• No Centralized dashboard and reporting available

So far, Let’s Encrypt has provided SSL certificates to 300 Million websites worldwide, including major IT companies. Their SSL certificates have been working well with Apache, NGNIX, HAProxy, and Plesk websites. Good Community support is available for it. You can try with other software as well.

Thanks for reading. Keep learning with #multicloudsagar and grow in your career.