Deploy free ssl certificates (letsencrypt) and sslletsencrypt in windows

Deploy free ssl certificates (letsencrypt) and sslletsencrypt in windows

With the development of the network, network security is becoming more and more important. For websites, upgrading from Http to https is also the first thing we need to do. To implement https, first we need to apply for an SSL certificate. This article mainly introduces the following aspects:

1. Introduction to SSL
2. Free Letencrypt certificate deployment
3. Installation Considerations

I. Introduction to SSL

As a network encryption protocol, ssl mainly exists in a Secure Socket Layer (Secure Socket Layer) between the application Layer and the transport Layer in the system ), that is, it is located between the TCP/IP protocol and each application layer protocol to provide an encrypted protocol for application data transmission. Of course, it is divided into two parts: the record protocol and the handshake protocol. If you are interested, you can take a look at it in detail. First, let me briefly introduce the process.

The workflow can be understood as follows: the client initiates a network request to the server, initiates a handshake, exchanges certificate information, and establishes a connection. In short, it is divided into the following parts:

Client: Send the Supported ssl versions and encryption methods to the server.

Server: select the encryption method and send the certificate and public key to the client.

Client: Verify the certificate information, generate a shared key through the public key, and exchange

Server: Okay. We can pass encrypted data.

The above is a simple description of the handshake process, each step can continue to break down, you can find relevant documentation for further understanding.

 

Here, we need to introduce another protocol TLS, which is based on the SSL3.0 specification and is more rigorous and clear. In addition, it has an extension protocol called SNI (Server Name Indication-Server Name Indication). Here we will introduce its main functions.

There may be many sites in our commonly used hosts. We cannot know the list of all domain names that will use this server at one time, but we cannot re-issue a certificate every time we modify the domain name, so with SNI, we can deploy multiple certificates on one host so that the server can select the correct virtual domain during the handshake phase and send the corresponding certificate. In IIS8.0 or later versions, the following options are available when we bind a Domain Name:

 

There are currently many free and charged ssl certificate providers for us to choose from, of course, we can also as the issuing body, make ssl certificates, however, browsers such as Google may prompt untrusted certificate authority for security risks on the page and block access, which is very bad for the user experience. According to the security level, the current ssl certificates mainly include the following categories:

EV-a website with ev ssl certificates deployed in the industry's top SSL Certificate, the address bar becomes eye-catching green, and the name of the enterprise to which the website belongs is displayed

OV-a widely used enterprise-verified SSL certificate. After an ov ssl certificate is deployed, a security lock icon is displayed in the address bar.

DV-only verify the domain name and quickly issue an SSL certificate. The security lock identifier is also displayed in the address bar, but the O field is not displayed in the certificate details, the user name is not displayed, and only the domain name is displayed.

The Free Certificates issued by many SSL certificate organizations recognized by mainstream browsers are mostly DV-level certificates. Next I will introduce some well-knownLetencryptDeployment of free ssl certificates in windows.

 

2. Free Letencrypt certificate deployment

This is a free ssl project launched by foreign companies and has now been recognized by mainstream browsers such as Google. From the security perspective, the free certificate installed through Letencrypt is only valid for three months and needs to be re-applied upon expiration, but this also causes some trouble for deployment, therefore, the official website also provides various automated solutions. Here I will introduce the certificate application and automatic update tools in windows.Letsencrypt-win-simple.

First we download the GitHub address (https://github.com/Lone-Coder/letsencrypt-win-simple/releases) and unzip it

Because the verification file needs to be generated under the site during the installation process, enter the cmd interface in administrator mode, or right-click the Start menu and click the command prompt (Administrator) option.

Enter the extract folder and run the letsencrypt.exe -- san command.

After execution, all websites under IIS are automatically listed. The following options are available:

These options correspond to different situations. Here, because there are several sites under my machine, I want to issue them a uniform certificate. I select S, then it will prompt you to enter the serial number of the site to be installed. Here I enter 3, 4

 

Next, it will create an internal verification file under each site. After the verification is passed, the corresponding certificate will be generated and added to IIS, if everything is normal, a Scheduled Update task is created in task management.

There are still some bugs in this software. I personally encountered several exceptional termination errors during the installation. I repeat the operation twice before it passes normally. If you also encountered problems, you can directly go to Certificate Management under IIS to check whether the corresponding certificate has been created. If yes, you can manually bind it.

 

Iii. Considerations

When using Letencrypt, there are limits on the number of times to prevent application misuse. Here is the restriction information provided by the official website:

If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 2,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.
We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

If you want to test the function, run letsencrypt.exe -- test in the command line. Enter the test environment.

 

If you have other questions or are interested in my OSS open-source projects, please follow the Public Account (OSSCoder ):