Create Let's Encrypt certificates on Mac OS and host them on the IIS server

In my practice, we often encounter the simplest tasks, which in turn are of great benefit, but it is not easy to find a complete manul and you have to collect bit by bit. I am writing the article mostly for myself, since the Let’s Encrypt certificate is created for 3 months and each time I have to look for links and requests in the terminal (re-assemble everything bit by bit).

In this article, I’ll show you how to install a Let’s Encrypt SSL certificate created on Mac OS on an IIS server.

The first thing we need is to install certbot on Mac OS. To do this, we need to install homebrew. I won’t stop here, I’ll just link to homebrew – https://brew.sh. There should be no problems here, if there are difficulties – write in the comments, I will help.

We start the terminal and write:

brew install certbot

Next, we need to create a certificate, with verification via dns. There are other options for checking a domain name, but this is the one I use. Will do on the example of creating a certificate for the domain name bpo.travel

We write the following line on the command line:

sudo certbot certonly --manual --preferred-challenges dns -d "bpo.travel"

We should receive the following response, which asks us to create a txt record on our DNS server for the domain name _acme-challenge.bpo.travel with the specified value

Next, we go to our DNS server (in our case it is 1gb.ru) and create a txt record with the specified value

We wait for some time (in my case, about 15 minutes, and it often works from the 3rd or 4th time, because I’m in a hurry), return to the terminal and press Enter. In response, we should see the following

If you suddenly pressed Enter ahead of time and the DNS record did not have time to update, then we will see the following response

In this case, you will have to make a request again and write a TXT record on the DNS server with a new value

If everything is ok, then open Finder and go to /etc/letsencrypt/archive/

Next, we copy the bpo.travel folder, for example, to downloads (when copying, we enter the password from our computer)

Then we need to create a pfx certificate from a ready-made pem certificate that certbot created for us and which lies with the keys in the bpo.travel folder that we copied

To do this, we are looking for a certificate converter. I am using the following:

https://www.sslshopper.com/ssl-converter.html

I upload all the created files and click Convert Certificate

As a result, I get a ready-made pfx certificate. Next, we need to install it on our IIS server. In my case, I remotely connect to it via RDP and go to IIS Manager

Next, I remove the old certificate. To do this, I need to go into the server certificates

and remove the certificate bpo.travel

Next, we need to install a new certificate on our server. To do this, simply click on the certificate and install it for the local computer (this is the only thing you need to change, then leave everything as it is and click next, next, …)

After that, we return to our IIS, select our site (bpo.travel), call the context menu with the right mouse button and select the “Change Bindings” item and fill in everything as in the screenshot