SSL connections are now standard for publicly available websites, and the same should apply to Microsoft Exchange. Let's Encrypt operates a free certificate authority (CA) that not only issues certificates free of charge but also allows automating the renewal requests. This guide goes through the procedure for IIS and Exchange.

The CA of Let's Encrypt issues certificates for individual hosts or subject alternative name (SAN) certificates. There's been support for wildcard certificates since the beginning of 2018. Note that the certificates are only valid for 90 days. Therefore, it is advisable to set up an automatic process for regular renewal.

Numerous ACME clients

To verify that applicants control the domains they wish to issue certificates for, Let's Encrypt uses the Automatic Certificate Management Environment (ACME) protocol.

Let's Encrypt itself does not offer its own ACME clients, but there are a number of them for most platforms. Here we use win-acme, a free console program for Windows by Tinus Wouter.

You can copy the ACME client files under the IIS directory

You can copy the ACME client files under the IIS directory

Version 2.0 is currently available as a beta and requires the .NET Framework 4.7.2. In my lab, the tool crashed right at the start; hence, I have used the stable v1.9.12.2 instead. If you want to request wildcard certificates, you need the ACME2 protocol, which this tool supports only from version 2.0 onwards.

Verification requires accessibility via the internet

No matter which method of verifying the domain you choose, they all have in common that the fully qualified domain name (FQDN) must be resolvable via a public DNS server and the host must be reachable via the internet on port 80.

This is also true if you decide to verify domain ownership using a file, which the client downloads to the local computer. You have to copy it to the host where it must be accessible for Let's Encrypt.

Using the default website as an example to check the hostname in the HTTP bindings

Using the default website as an example to check the hostname in the HTTP bindings

In our example, we let win-acme read the bindings of an IIS site; hence, the ACME client determines the hostnames from the IIS configuration. Therefore, we have to make sure in the IIS Manager that HTTP is bound to the respective FQDN at the desired sites.

Interactive request of the certificate

Upon meeting this condition, we start the ACME client called letsencrypt.exe. After confirming the terms of use, this program presents a text-oriented menu from which we select N for a new certificate.

Entry menu of letsencrypt.exe

Entry menu of letsencrypt.exe

We then decide on 3, which is "SAN Certificate for all bindings of multiple IIS sites." Exchange has had two IIS sites since version 2013 that need a certificate. After that, we choose option 3 "[http-01] Create temporary application in IIS" as the method.

Selecting a SAN certificate for all bindings from multiple sites

Selecting a SAN certificate for all bindings from multiple sites

After it successfully issues the certificate, letsencrypt.exe will store it under C:\ProgramData\win-acme\\.

The ACME client then offers creating a scheduled task for automatic certificate renewal. In a pure IIS environment, you will use this, so the process is now finished at this point.

If everything went well, IIS should now have the certificate installed. If not, you can quickly assign it manually in the IIS Manager.

Assigning a certificate to POP, IMAP, or SMTP

If you need the certificate for Exchange, then not all services have a certificate at this point. You could now assign it manually in the web console; instead, we will use the script ExchangeLetsEncrypt.ps1 by Anthony Eden.

It requires two parameters: CertificateImport (for the path to the PFX file Let's Encrypt has generated, usually at C:\ProgramData\¬letsencrypt-win-simple\¬\) and RDCB (the server's FQDN).

Extending a certificate

Because the validity of the certificate is limited to 90 days, you must be careful not to miss its renewal. It is best to set up a scheduled task that should not only contain the ACME client with the renewal parameter but also the PowerShell script mentioned above to assign the certificate to all Exchange services:

C:\inetpub\letsencrypt\letsencrypt.exe --renew --baseuri -File "C:\inetpub\letsencrypt\ExchangeLetsEncrypt.ps1" -CertificateImport "C:\ProgramData\win-acme\\" -ServerName

The script author provides a batch file (ExchangeInstallLE.bat) that contains these two commands; you only need to adapt it to your own environment.

Subscribe to 4sysops newsletter!

Renewing a certificate via letsencrypt.exe command line parameters

Renewing a certificate via letsencrypt.exe command line parameters

This ensures immediate reassignment of the renewed certificate to all Exchange services.

  1. Avatar
    2k9 3 years ago

    Does the Port 80 has to be open for extending the certificate after 90d? 

    • Avatar
      Tom Debrecini 2 days ago

      Yes, the validation is performed on port 80. The authorizations for the account are cached for 30 days, which means that you if renew within 30 days, no validation will be performed. It is recommended to renew the certificate within 60 days, instead of waiting for the 90 days mark.

      The win-acme client is really good but simply not suitable for Exchange servers – you have to go through such painful steps to get a cert installed and renewed on Exchange. The ACMEExchange client is free (cli based as well) and specifically designed for Exchange servers. It’s simple, just run the command with the DNS names that you need, and forget it – everything else is taken care of (renewals, cleaning up old LE certs, etc.). Plus you get an email report every time the cert is renewed as well.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account