Generate Lets Encrypt Free HTTPS SSL Certificate

Anil Gupta  9 Aug, 18      0  Tech Tips

Generate 2048 bit https certificate for use with google load balancer or AWS cloud. Step by step process to get free SSL cert with zeroSSL online service using Lets Encrypt signing authority.

If you are looking at generating Free HTTPS certificate for WordPress, then you should use WP-Encrypt plugin for wordpress. Its much more easier and integrates with your blog seamlessly.

The certificate generated by WP encrypt has 4096 bit encryption level (the more the better), which unfortunately is not supported by Google Cloud Load Balancer. They only accept 2048 bit encrypted keys.

We will walk though an online service called zerossl.com, which internally uses Lets Encrypt to generate the FREE HTTPS certificate.

Generate a 2048 bit CSR (Certificate request file)

  1. Do not go directly to certificate generation on zero SSL as it generates CSR with 4096 key automatically.

    Instead, we will first explicitly generate a CSR with 2048 strength here https://zerossl.com/free-ssl/#csr

  2. Fill your domain names like ‘am22tech.com’, ‘www.am22tech.com’, ‘cdn.am22tech.com’ etc. Include all the names that you want the certificate to be issued.
    1. Choose ‘2048’ bits.
    2. Fill up your company information.
    3. Leave the domain key box (left box) and CSR box (right box) empty. We are going to generate them.
  3. Click ‘Generate‘. This step generates two files:
    1. Domain Private key file (Called ‘Private key file‘ in google Load Balancer).

      Download and save this file as ‘domain-private-key-use-in-g-load-balancer.pem‘ on your local machine.

    2. The CSR file. The CSR is useful if you need to reissue the certificate (at the time of renewal) or if you have to run through these steps again. Download and save this file as ‘csr.pem-use-for-renewal.txt‘.
      This contains your domain information that you just entered like your company information and domain names.
2048 bit CSR generation
2048 bit CSR generation

Generate FREE HTTPS signed certificate by Lets Encrypt

    1. Go to this link: https://zerossl.com/free-ssl/#crt
      1. Enter your email. This is important as this email will be used to inform you about certificate expiry.
      2. Leave private key file section on left hand side box blank. It will be generated fresh.
      3. Copy and paste the contents of CSR file (csr.pem-use-for-renewal.txt) in right hand side box. This is the file from above step.
      4. Choose DNS as the method to verify. Its much easier. Http method would ask you to add a file on web server.
      5. Accept ZeroSSL TOS.
      6. Accept Let’s Encrypt SA (pdf).
Sign certificate with Lets Encrypt
Sign certificate with Lets Encrypt
  1. Click ‘Next’. A key file is generated on the left hand side box. This file is a private key file. Download and save this file as ‘lets-encrypt-private-key-file.pem‘. This will will be required at the time of renewal of this certificate.

    The identity has two components: an email address which is optional but recommended for expiration notices etc and a RSA key for encryption and validation of commands. The RSA key is linked to ALL Lets Encrypt Activities (such as running requests, revocations and listing current certificates. This is a very important key. The RSA key will be needed for generating other certificates.

  2. Click Next again. You are now shown the DNS settings.
    Verify certificate using DNS
    Verify certificate using DNS
    1. Go to your DNS service like https://domains.google.com and change/add these values. Keep the TTL value low like 1m (= 1 minute) to help them propagate and help zero SSL verify it quickly.

      DNS records in Google domains
      DNS records in Google domains
    2. Wait for about 3 minutes and then click ‘next’.
  3. On the next screen, you see the signed certificate file.

    Signed Lets Encrypt certificate
    Signed Lets Encrypt certificate
  4. Download and save this file as ‘domain-crt-contains-2-certs-zero-ssl-last-step.txt‘.
  5. Open this file in notepad. Cut the two parts separately and save them in a separate files as:
    1. First part: Save as ‘public-key-certifcate-derived-from-2-cert-file-use-in-g-load-balancer.pem‘.
      For AWS and Google Load Balancer, this file is ‘public key certificate’.
    2. Second part: Save as ‘chain-certicate-derived-from-2-cert-file-use-in-g-load-balancer.pem‘.
      For AWS and Google Load Balancer, this file is called as either “Intermediate certificate” or “Certificate chain” or “CA Bundle“.

HTTPS Certificate Files

You should now have the following files with you to help you set up https at AWS cloud or Google Load Balancer:

  1. public-key-certifcate-derived-from-2-cert-file-use-in-g-load-balancer.pem
  2. chain-certicate-derived-from-2-cert-file-use-in-g-load-balancer.pem
  3. domain-crt-contains-2-certs-zero-ssl-last-step.txt

You also have these two files at this time. These two files would be needed at the time of renewal of the https certificate.

  1. lets-encrypt-private-key-file.pem
  2. csr.pem-use-for-renewal.txt

Keep all 5 of them at a place where you can easily re-fetch them as needed.

The certificate is valid for 90 days and are free to renew.

It is strongly advised to renew your certificate in 60 days, if you want to avoid the DNS re-check. Between 60 to 90 days, Lets encrypt forces you to re-verify the domain either by http or DNS method.

Set up a calendar reminder on 59th day to renew and update the certificate on your server.

To renew, just repeat the process using the same two files mentioned above.

Using the same CSR means that you do not need a new domain key (it will stay the same) and will only need to update the certificate file on your server.

Convert ZeroSSL certificate and key file to Windows 10 PFX format

These files cannot be directly used on windows IIS server. We need to convert them to a single file with extension *.PFX to make it compatible.
it is a two step process to be run on your windows machine:

  1. Rename the file ‘domain-crt-contains-2-certs-zero-ssl-last-step.txt‘ to ‘certificate-2-cert-file-use-in-windows.cert‘. Note that file extension has changed.
  2. Rename ‘domain-private-key-use-in-g-load-balancer.pem‘ to same file name as as the cert file but with extension as ‘.key‘.
    In our case this file should have a new name as ‘certificate-2-cert-file-use-in-windows.key
  3. Now run the windows cmd prompt. Windows->start->run->cmd->Press Enter key. Move to the folder where these two files are saved.
  4. Run the command to convert the zero ssl cert file to .PFX file:

    certutil -mergepfx certificate-2-cert-file-use-in-windows.cert certificate-2-cert-file-use-in-windows.pfx

    certutil is a windows command and it should already be installed on your windows machine.

    zero ssl convert to pfx file for windows
    zero ssl convert to pfx file for windows
  5. Enter the password and confirm password as per your choice. Once done, the PFX file is created and stored in same folder.

    Windows pfx file from lets encrypt certificate
    Windows pfx file from lets encrypt certificate

Install Zero SSL certificate PFX file on windows IIS 10

  1. Go to IIS manager. Click start->run->inetmgr->press enter key.
  2. Click on your IIS server name and then choose ‘Server Certificates’.
  3. On the server certificate screen, on right hand side panel, click ‘Import’.
  4. Select your .PFX file. Write your password that you gave at the time of creating this PFX file.

    Install zero ssl certificate pfx file on windows IIS
    Install zero ssl certificate pfx file on windows IIS
  5. The certificate in now installed / imported on IIS. You can now use it for any of the website hosted on your IIS instance.
  6. Click the name of your website hosted on IIS. On right hand side panel, click ‘Bindings’.
  7. On bindings dialog box, click ‘Add’ and then choose ‘https’. The port is populated with ‘443’ automatically. Leave all values default.
  8. Select the certificate that you just imported to IIS from the drop down. Click OK.

    Connect zero ssl certificate with website windows IIS
    Connect zero ssl certificate with website windows IIS
  9. Your website is now using https with Lets Encrypt certificate.
  10. Browse your website in any internet browser using the prefix ‘https://apps.am22tech.com‘ and it should work.
  11. Make sure you redirect the HTTP version of your site to HTTPS version to retain the SEO (Search Engine Optimization) juice.