Add SSL certificate to a website

The entire process of adding an SSL certificate can be done in less than 10 minutes:

  1. Purchase a certificate (multi-year is preferred to avoid the hassle of renewing.
  2. Generate a a Certificate Signing Request (CSR)
  3. Request an SSL certificate from an issuing authority.  The issuing authority sends an authorization request to the administrator of the domain in seconds,  The admin authorizes the request.
  4. Downloading the SSL certificate.
  5. Installing the certificate.

The process to re-key SSL certification is almost identical to the above.

IONOS offers a free SSL certificate for each domain registered with them.

  1. Go to Secure Your Website with SSL Encryption
  2. Select domain
  3. Activate SSL Certificate and download the private key
  4. Menu > Domain and SSL
  5. Click a domain.
  6. Click SSL Certificate > Manage
  7. Create and Download the .PFX File (the downloaded private key is needed for this step, a new password is also needed.  Remember this password).
  8. Go to IIS > Select Server > IIS > Server Certificate > Import... (on the right) > Select the .PFX file and enter password.
  9. IIS > Select website > Binding... (on the right) > Select https (if nonexistent, create it) > Edit... > Select the imported certificate.

Renew IONOS SSL certificate:

  1. Domains & SSL
  2. Select the domain
  3. SSL certificate > Manage
  4. Renew and get a .key file
  5. SSL Certificate Files > Download .PFX file. In this step, you need to open the private key file (.key) and copy its content to the box and enter a password and remember this password.
  6. Go to IIS > Select Server > IIS > Server Certificate > Import... (on the right) > Select the .PFX file and enter password.
  7. IIS > Select website > Binding... (on the right) > Select https (if nonexistent, create it) > Edit... > Select the imported certificate.

One can use the free Let's EncryptCertify the web is a great application to manage the certificates of Certify the web for different websites on a Windows server.  If a regular SSL certificate is used, one needs to remember to remove the website from Certify the web.  Otherwise Certify the web will update the website's certificate with one from Let's Encrypt automatically.

ZeroSSL renewal:

  1. Follow the default steps to generate .zip file containing domain.crt, bundle.crt, private.key
  2. Remove any passphrase from the private key: 
       openssl rsa -in yourdomain.key -out key_nopass.key
    Verify it does not ask for passphrase (optional):
        openssl rsa -check -in key_nopass.key
  3. Create a Windows Server 2016–compatible PF
      openssl pkcs12 -export ^
      -out win2016.pfx ^
      -inkey key_nopass.key ^
      -in yourdomain.crt ^
      -certfile ca_bundle.crt ^
      -keypbe PBE-SHA1-3DES ^
      -certpbe PBE-SHA1-3DES ^
      -macalg SHA1X:
    Verify it does not ask for passphrase (optional):
       openssl pkcs12 -info -in win2016.pfx -nokeys
  4. Import the PFX into Windows Server 2016
    Open mmc → Add “Certificates” snap-in → Computer account → Local computer
    Go to: Personal → Certificates
    Right-click → All Tasks → Import
    Select win2016.pfx
    Enter the PFX password
    Check “Mark this key as exportable”
    Finish
  5. Bind the certificate to the website.

ZeroSSL certificate renewal automation:

Setup Steps (High-Level)

  1. Download win-acme for Windows Server 2016

  2. Install/Extract it

    • Extract to a folder like C:\win-acme\

  3. Run wacs.exe (the client)

    • Select “Create new certificate (full options)”

    • Choose your IIS site

    • Choose ZeroSSL ACME v2 as the provider

    • Enter your ZeroSSL API key when prompted

  4. Automatic PFX creation

    • win-acme generates a Server 2016-compatible PFX automatically

    • Handles private key / certificate / CA bundle correctly

  5. Bind the certificate to IIS

    • win-acme can automatically update your site’s HTTPS binding

  6. Schedule automatic renewal

    • The installer creates a Task Scheduler job

    • Checks for expiring certificates and renews automatically