If you are not familiar with letsencrypt.org, please check out the site for more information.  You can look them up here.

The quick answer is that they issue SSL certificates for free.


We are going to be using ACMESharp on Windows Server 2008R2 to get our certificates generated, downloaded and working (installed).


  • You will need to log into your server and verify that you have PowerShell v.4.0 or above working.  You can do this by running the commandlet 'Get-Host' on your server (see image below).  My server was at version 2.0 (see image below).


  • We need to install ACMESharp on the server.  We do this through PowerShell using the comand:  Import-Module ACMESharp
  • If you cannot use the Import-Module to install it, you can download the module here and extract it to the PowerShell module directories under c:\windows\system32\windowspowershell\v1.0\modules\ and c:\windows\syswow64\windowspowershell\v1.0\modules\ directories.  Then run the Import-Module ACMESharp command again.
  • You can also install PowerShell Gallery support following the instructions here.


We are going to need to initialize the PowerShell module and set it setup the directories it needs.

  • We are going to use the command Initialize-ACMEVault, within PowerShell, to do our one time initialization.
  • This command runs very quickly and does not generate any response.
  • This command makes some directories on your machine under C:\ProgramData\ACMESharp (see image below).



At this point we have the ACMESharp PowerShell module installed on our Windows Server 2008R2 machine.

We have also initialized the module and setup our default directories for storage of our certificates.


Now we are ready to create some SSL certificates.


*** NOTE:  Please be aware I'm going to generate all the certificates in this example.  You may not need to do this for your installation.


*** NOTE:  We will start PowerShell as Administrator and use the same session for the entire process.


*** NOTE:  For this example I will be using helpdesk.the-internet-guy.com as my test domain.  Substitute your domain name in it's place during your registration.


Step One:  Register your email address with LetsEncrypt.org.

  • Run the command Import-ACMESharp
  • Run the command New-ACMERegistration -Contacts mailto:[your@email.address.com] -AcceptToS
  • You will see a response like this (see image below).  I have blurred my email address and RSA key for security reasons.

  • Run the command New-ACMEIdentifier -Dns helpdesk.the-internet-guy.com -Alias helpdesk.the-internet-guy.com_Identifier
  • You will see a response like this (see image below).  I have blurred out the auth code for security reasons.

  • Please note the status of "pending" in the above request.  This means we need to validate our request before a certificate is issued.

  • Run the command Complete-ACMEChallenge helpdesk.the-internet-guy.com_Identifier -ChallengeType http-01 -Handler manual

  • You will see a response like this (see image below).   I have blurred out the tokens for security reasons.

  • Our challenge, as outlined in the prior command indicates that we are going to use HTTP challenge.  This is designated by the "http-01" challenge type.
  • You will see that we need to make a directory on the root of our web server to house the token (or finger print) for the SSL key.  This is commonly in the %webroot%/.well-known/acme-challenge/ directory.
  • We can make this by using the mkdir command to create the folders on our system (see image below).  My root folder for my IIS installation is c:\inetpub\hostroot\, yours may be different.

  • Now we need to make a file in our new directory.  That file name needs to be the string as shown, and labelled, number 1 (see image below).  The contents of that file need to be the string as show, and labelled, number 2 (see image below).

  • You can create this file however you like.  You can use Notepad or WordPad or NotePad++.  You just need to label it the string at number 1 and it needs to contain the string at number 2.  You may need to run Notepad as Administrator to get access to that directory.
  • You will now have one file under the acme-challenge directory.  It should look like this.

  • Run the command Submit-ACMEChallenge helpdesk.the-internet-guy.com_Identifier -ChallengeType http-01

  • As you can see in the image above our challenge as been submitted and is still "pending".
  • We can see the status of our submission by running the command Update-ACMEIdentifier helpdesk.the-internet-guy.com_Identifier -ChallengeType http-01


*** NOTE:  You may need to add the MIME type to your website to get IIS to respond to the request with the text of the file vs. a 500 or other error.  I needed to add it to my server config (see image below).


***NOTE:  You can test to see if your server is publishing the file correctly by navigating to this location manually in your browser of choice.




  • You will need to check your status and wait until it is valid (see image below).  Once valid you can start the generation of certificates.

  • Run the command New-ACMECertificate helpdesk.the-internet-guy.com -Generate -Alias helpdesk.the-internet-guy.com_Cert
  • You will see a response like this (see image below).  We just setup our vault to use the helpdesk.the-internet-guy.com_Cert alias for all of our certificate exports.

  • We will not submit our certificate to LetsEncrypt.org so certificates can be generated.  Run the command Submit-Certificate helpdesk.the-internet-guy.com_Cert
  • You will see a response like this (see image below).

  • We will now export the private key.  Run the command Get-ACMECertificate helpdesk.the-internet-guy.com_Cert -ExportKeyPEM "c:\users\sysadmin\desktop\helpdesk.the-internet-guy.com_private_key.pem"
  • You will see a response like this (see image below).  We are exporting our private key to our desktop.

  • We will now export our certificate signing request (CSR) file.  Run the command Get-ACMECertificate helpdesk.the-internet-guy.com_Cert -ExportCsrPEM "c:\users\sysadmin\desktop\helpdesk.the-internet-guy.com.csr.pem"
  • You will see a response like this (see image below).

  • We will now export our CRT file.  Run the command Get-ACMECertificate helpdesk.the-internet-guy.com_Cert -ExportCertificatePEM "c:\users\sysadmin\desktop\helpdesk.the-internet-guy.com.crt.pem" -ExportCertificateDER "c:\users\sysadmin\desktop\helpdesk.the-internet-guy.com.crt"
  • You will see a response like this (see image below).  We have explorted our certificate in PEM format and CRT format.

  • You can look at your desktop and view your certificates.  They will look like this (see image below).

  • We will now export our issuer certificate.  Run the command Get-ACMECertificate helpdesk.the-internet-guy.com_Cert -ExportIssuerPEM "c:\users\sysadmin\desktop\helpdesk.the-internet-guy.com.crt.pem" -ExportIssuerDER "c:\users\sysadmin\desktop\helpdesk.the-internet-guy.com.crt"
  • We now should have 6 certificate files on our desktop (see image below).  We have our certificates in PEM and CRT format and our issuer certificates in PEM and CRT format.

  • For Microsoft Windows, we need a PFX certificate... to make life simple with IIS.

  • Run the command Get-ACMECertificate helpdesk.the-internet-guy.com_Cert -ExportPkcs12 "c:\users\sysadmin\desktop\helpdesk.the-internet-guy.com.pfx"

  • You will see a response like this (see image below).

  • If you want to create a PFX with a password, which is usually preferred in Windows, you would run the command Get-ACMECertificate helpdesk.the-internet-guy.com_Cert -ExportPkcs12 "c:\users\sysadmin\desktop\helpdesk.the-internet-guy.com.pw.pfx" -CertificatePassword 'ABCD1234' (whereas ABCD1234 is the assigned password.  Yours should be a bit tougher to guess)

  • You will see a response like this (see image below).

  • We now have 8 certificate files on our desktop (see image below).

  • We are done with the certificate generation part... now on to IIS.


In this part we are going to take the PFX file that we generated before and import it into IIS so use on our website.


At this point I have no certificate on my server, so I cannot go to HTTPS, I get this error (see image below).

I can go to HTTP.  When I do I get this page (see image below).




  • Open IIS Manager on your server.
  • Click on the server name.  We are looking for the "Server Certificates" option for your server (see image below).

  • Double click on the "Server Certificates" option.  You will be brought to the certificates page (see image below).  Click on "Import".

  • This will bring up a box that asks you for the certificate location and password.  Thus, you need to pick the PFX file that you put a password on.  Ours was named helpdesk.the-internet-guy.com.pw.pfx.  Type the password in (see image below).

  • Your certificate is now imported into IIS (see image below).

  • We now need to assign it to our website.  High-lite the website that you want to use and click the "Binding" option (far right).

  • Once the "Site Bindings" window appears, click on the "Add..." button.  This will ask you what port and certificate.  Pick HTTPS, port 443 (or any other port you want to protect with SSL) and then the certificate (see image below).

  • I suggest that, at this time, you restart your site.

  • Now when look at my website using HTTPS, I get the same page but you will notice the LOCK icon and the protocol being used (see image below).

  • If we examine our certificate, you will see the details (see image below).


That's it... that's all there is too it..

...Except renewing.  You will need to do this every 60-90 days.