How to use Let’s Encrypt Free SSL with Windows Server 2012 R2

Today I’m going to discuss how you can get a free SSL cert from Let’s Encrypt, and then use it on a Windows Server.
In my example I will be using the free SSL cert for a remote Desktop Collection!

The latest powershell is required so you can utilize the “install-module” command, this can be found here.
For server 2012 R2 x64 choose this one “Win8.1AndW2K12R2-KB3134758-x64.msu”.
This is at the last option after clicking the download button.

Before we begin you should know that the method to proving the ownership of the domain I chose is ‘dns-01’ this method requires you to create a txt DNS record. This was the easiest way for me. I’m going to create one with you now for my domain,

Now run powershell as admin, paste the following commands and fill out the following variables.
the script:

$domain = ""
#if you need a cert for a subdomain then you should put the subdomain not the root
$mail = "mailto:[email protected]"
#note this email does not need to be under the domain you are registering, you can use or
$domalias = "domain"
#any name is fine
$certalias = "domaincert"
#any name is fine
$certloc = "C:\certfiles\$domalias"

Install-Module ACMESharp
# you should have the latest powershell version to use this

Import-Module ACMESharp

#this command is only required once per session

New-ACMERegistration -Contacts "$mail" -AcceptTos

New-ACMEIdentifier -Dns $domain -Alias $domalias

Complete-ACMEChallenge $domalias -ChallengeType dns-01 -Handler manual

Write-Host -fore yellow "Copy your TXt record values from above, then add to your domain DNS then press enter here"


Submit-ACMEChallenge $domalias -ChallengeType dns-01

Write-Host -ForegroundColor yellow "This script will pause for 60 seconds while it waits for your request to be submitted, then it will update."
Start-Sleep 60

Update-ACMEIdentifier $domalias

Write-Host -fore yellow "If the above says the status is valid, then press enter, if it says invalid review your settings, if it says pending just rerun the update command above in the script"


New-ACMECertificate $domalias -Generate -Alias $certalias

Submit-ACMECertificate $certalias
Write-Host -ForegroundColor yellow "This script will pause for 60 seconds while it waits for your request to be submitted, then it will update."
Start-Sleep 60

Update-ACMECertificate $certalias

new-item -ItemType Directory "$certloc"

Get-ACMECertificate $certalias -ExportKeyPEM "$certloc\privatekey.key.pem"
Get-ACMECertificate $certalias -ExportCsrPEM "$certloc\certcsr.csr.pem"
Get-ACMECertificate $certalias -ExportIssuerPEM "$certloc\issuer.crt.pem" -ExportIssuerDER "$certloc\issuer.crt"
Get-ACMECertificate $certalias -ExportPkcs12 "$certloc\cert.pfx" -CertificatePassword 'P@ss1234'

write-host -ForegroundColor yellow "your .pfx file was saved with the pass P@ss1234"

Explaining the Let’s Encrypt Script and Module

I’m assuming you’ve already upgraded powershell with the link I provided. Then you should have installed the module via the command. Then you should have imported the module. Finially you should have ran the initialize command (this command is only required once).

The email registration doesn’t send you anything, it just ties the domain to your email (email must be valid, can be any domain)

img 57c8e8e8a0582

Then we create the domain identifier and bond it to an alias

img 57c8e9a9cd7ca


This is the complete acme challenge part, the name is tricky, it doesn’t actually complete. It actually begins the challenge.
At this step you are given the txt record name and value that you will need to setup.

img 57c8cedf2ed5d

My TXT record will be called “_acme-challenge” and the Value will be whatever is in the value field, minus the brackets.

Since my domain is hosted with Cloudflare this is what my record looked like.

img 57c8cf6137f0e

Once I hit enter in the script it will submit my challenge, then pause for 60 seconds, if you see a “status” of pending, that means you did everything well so far.

img 57c8cfb6d9664

This update-acmeidentifier command just gets the status of a challenge you submitted.
If everything went well then after those long 60 seconds the script will now show a status of “valid” like below.

img 57c8d12581634

If it did not then you need to find the error in the config. If it shows “invalid” you have a problem. Most likely you messed up the DNS record or it hasn’t showed up yet.

Then the alias for the cert is created, submitted, and checked.

img 57c8eed08cc7a

Then the folder structure is created in C:\ with the “new-item” command.

Once that’s done it will actually do the exporting.

img 57c8ee6048988

Once all of that is done you should get all the cert files in a directory on the C:\ drive called certfiles.

img 57c8d170c59dc

I used the script for a RDSH collection test-lab, I was able to easily add the cert with the password in Server Manager.

img 57c8d21f1e926

Note: the password is required or else you’ll have “delegation” errors.

Renewels: As it stands there’s no way with powershell to renew your certs, once that feature comes out I will update this!

Leave a comment