Let’s Encrypt – Zero SSL Online Wizard

 

Background

In this exercise we will use ZeroSSL Online Wizard to process a new Let’s Encrypt SSL Certificate.

Glossary

Name Definition Other Name Link
Certificate Signing Request In Public Key Infrastructure (PKI) systems, a Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).  Link
CSR
 Domain Validated Certificate  A domain-validated certificate (DV) is an X.509 digital certificate typically used for Transport Layer Security (TLS) where the identity of the applicant has been validated by proving some control over a DNS domain.

The sole criterion for a domain-validated certificate is proof of control over a domain. Typically control over a domain is determined using one of the following:

a) Response to email sent to the email contact in the domain’s whois details
b) Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.)
c) Publishing a DNS TXT record
d) Publishing a nonce provided by an automated certificate issuing system

 Link
 Intermediate Certificate Intermediate certificates are used as a stand-in for our root certificate. We use intermediate certificates as a proxy because we must keep our root certificate behind numerous layers of security, ensuring its keys are absolutely inaccessible.

However, because the root certificate itself signed the intermediate certificate, the intermediate certificate can be used to sign the SSLs our customers install and maintain the “Chain of Trust.”

Installing Intermediate Certificates
After your SSL certificate is issued, you will receive an email with a link to download your signed certificate and our intermediate certificates.

How you install the certificates depends on the server software you use. In most cases, you can download and install an intermediate certificate bundle. However, for some server types you must download and install the two intermediate certificates individually. Please refer to the Install SSL certificates for the specific process you should follow.

 Link

Let’s Encrypt – Client Option

From the list of Client Options for Let’s Encrypt, we have ZeroSSL.

ZeroSSL Windows

ZeroSSL has two options for utilizing ZeroSSL on Windows.

One option is through scripting and the other is thru a browser based wizard.

Because of reasons that we will have to cover in another post, our only option based on our targeted OS,  MS Windows 2003, is the Wizard option.

Processing

Outline

  1. Using IIS Manager, Request Certificate
  2. Using IIS Manager, Configure virtual folder
    • .well_known\acme-challenger
      • Mime Type ( extension-less files )
  3. Access ZeroSSL’s Website
    • Access Wizard
    • Submit Request
      • Paste generated CSR unto right side of request
      • Receive Domain Certificate
      • Press OK
    • Verification Process
      • Select Verification process ( HTTP or DNS )
      • Process Verification
    • Receive Certificates
      • Machine Certificate
      • Certificate Authority Certificate
  4. Using IIS, Accept Certificate
  5. Using IIS, Review Accepted Certificate

Request Certificate

Hopefully, you have already installed IIS on your targeted machine.

Steps

  1. Launch IIS Manager
  2. Access Website
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Server Certificate” window appears
      • Choose the “Create a new certificate” option button
    • The “IIS Certificate Wizard – Delayed Or Immediate Request” window appears
    • The “IIS Certificate Wizard – Name and Security Settings” window appears
      • Change Certificate Name from “Default” to friendly,  pertinent name that will make it easy to associate and identify later
      • Change Bit Length from 1024 to 4096
    • IIS Certificate Wizard – Organization Information
      • Entered “Organization” Information
      • Entered “Organization Unit” Information
    • IIS Certificate Wizard – Geographical Information
      • Choose Country
      • Entered State
      • Entered City
    • IIS Certificate Wizard – Certificate Request File Name
      • Enter a filename to save the “Certificate Request” file under
    • IIS Certificate Wizard – Request File Summary
      • Review Request Summary

Image

Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Server Certificate

IIS Certificate Wizard – Delayed Or Immediate Request

IIS Certificate Wizard – Name and Security Settings

IIS Certificate Wizard – Name and Security Settings – Initial

IIS Certificate Wizard – Name and Security Settings – After

IIS Certificate Wizard – Organization Information

IIS Certificate Wizard – Geographical Information

IIS Certificate Wizard – Certificate Request File Name

IIS Certificate Wizard – Request File Summary

IIS Certificate Wizard – Completing the Web Server Certificate Wizard

Configure .well-known\acme-challenge

Steps

  1. Using Windows Explorer or Command Shell, create new folder under the root folder
    • Example
      • c:\inetpub\wwwroot\.wellknown\acme-challenge
  2. Register new mime-type for extension-less files
  3. Validate extension-less files are handled
    • Temporarily enable directory browsing
    • Create extension-less files under .wellknown\acme-challenge
    • Using web browser access folder and access extension-less files

Images

acme-challenge Properties

acme-challenge Properties – Mime Types – Adding Extension-less file

acme-challenge Properties – Mime Types

Validate Extension less file are handled

Access ZeroSSL Website

https://zerossl.com/free-ssl/#crt

Details

Outline

On the Details Tab

  • Enter fields
    • Email (optional)
      • Email to correspond and inform of pending expiration
    • Paste your Let’s Encrypt key
      • If you already have a Let’s Encrypt Key, please paste it
    • Domains ( Only if you have no CSR)
    • Paste your CSR or leave it blank to generate
      • We have a CSR we generated using IIS Manager
    • Verification
      • Verification Choices
        • HTTP Verification
        • DNS Verification
      • We chose HTTP
    • Accept ZeroSSL TOS
    • Accept Let’s Encrypt SA (PDF)
  • We pasted the generated CSR
  • And, clicked on the Next button
  • Account Key
    • The system stays busy for a while, as the Account Key is generated
    • Once generate the Account key is placed in the Account Key text box
  • Click the next button

Image

ZeroSSL : Free SSL – Home Page

ZeroSSL : Free SSL – Free SSL Certificate Wizard

Details

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details  – CSR Pasted

CSR Pasted

Here we paste the “Certificate Request” ( CSR ) we generated earlier.

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Generate Account Key

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Account Key Generated

Verification

Verification  – Guidance

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Domain Name
  • Filename
  • File Content

Screen Shot

Verification – Initial

Verification  – Implementation

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Access WebSite root folder
    • Usually C:\inetpub\wwwroot
  • Create sub-folder .well-known \ acme-challenge
  • For each domain
    • Create file
    • Add file contents

Verification – Created File

Verification – File Contents

Verification – Link Clicked

Certificate

Outline

On the Certificate Tab

  • Information
    • Certificates good for 90 days
    • Keep the following keys for when you renew
      • Let’s Encrypt Key
        • Certificate Authority Key
      • CSR
        • Host specific
  • Download
    • Two keys are availed as text
      • Host Assigned Cert
      • Issuer Cert
    • Depending on your targeted purpose, you have choices
      • IIS
        • For IIS, you can download the entire block inclusive of begin and end marker and save as one file

ScreenShot

Your Certificate is Ready

Certificate Text

Receive Certificate

In this section, we use IIS Manager to receive the Certificate.

Steps

  1. Launch IIS Manager
  2. Access Website
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Pending Certificate” window appears
      • Choose the “Process Pending Request and install the certificate” option button
    • The “IIS Certificate Wizard – Process a pending Request” window appears
      • A lone text box asking for the certificate filename
        • The filename being asked for is the one generated by our Certificate Authority ( CA )
            • Enter or paste the file name
            • Or click on the browse button to navigate the File System ad select the file
    • The “IIS Certificate Wizard – Process a Pending Request – SSL Port” window appears
      • Accept or Change the SSL/HTTPS Port Number
    • The “IIS Certificate Wizard – Process a Pending Request – Certificate Summary” window appears
        • Review the Certificate Summary
          • Issued to :-
            • Internet :- FQDN
            • Intranet :- Computer Name
          • Issued By :-
            • Let’s Encrypt Authority X3
          • Expiration Date :-
            • For “Let’s Encrypt Authority X3”, 3 months from Issue Date
          • Intended Purpose :-
            • Server Authentication
            • Client Authentication
          • Friendly Name
            • Friendly Name
      • The “IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard” window appears

Image

Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Pending Certificate Request

certReceived_PendingCertificateRequest_20170720_1148PM

IIS Certificate Wizard – Process a Pending Request

certReceived_ProcessAPendingRequest_20170720_1149PM

IIS Certificate Wizard – Process a Pending Request – Browse

certReceived_PendingCertificateRequest_Open_20170720_1150PM

IIS Certificate Wizard – Process a Pending Request – File Selected

certReceived_ProcessAPendingRequest_20170720_1150PM (Brushedup)

IIS Certificate Wizard – Process a Pending Request – SSL Port

certReceived_PendingCertificateRequest_SSLPort_20170720_1151PM

IIS Certificate Wizard – Process a Pending Request – Certificate Summary

certReceived_PendingCertificateRequest_CertificateSummary_20170720_1152PM (BrushedUp)

IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard

certReceived_PendingCertificateRequest_Completing_20170720_1152PM

IIS Certificate Wizard – Process a Pending Request – Completed Web Server Certificate Wizard

certReceived_PendingCertificateRequest_Completed_20170720_1153PM

Review Certificate

In this section, we use IIS Manager to review the Certificate.

Steps

  1. Launch IIS Manager
  2. Access Web Site
  3. Access the “Directory Security” tab
    • Click the “View Certificate” button
  4. The “Certificate” window appears
    • Window – Certificate // Tab –  General
      • Issued To
      • Issued By
        • Let’s Encrypt Authority X3
      • Valid from
        • Valid from Begin to End Date
        • In our case 7/20/2017 thru 10/18/2017
    • Window – Certificate // Tab –  Details
      • Issuer
          • Let’s Encrypt Authority X3
      • Valid from
      • Valid To
      • Subject
        • Common Name
      • Public Key
        • Length
        • Integration Guide
          Link

          • Let’s Encrypt accepts RSA keys from 2048 to 4096 bits in length
        • In our case 4096
    • Window – Certificate // Tab –  Certification Path
      • Certificate Path
        • Issuer
        • Issued To
      • Certificate Status :-
        • This certificate is OK

Certificate – View – General

certView_General_20170720_1143PM (Brushedup)

Certificate – View – Details

certView_Details_20170720_1154PM - (BrushedUp)

Certificate – View – Certificate Path

certView_CertificatePath_20170720_1154PM (BrushedUp)

References

  1. GoDaddy
    • IIS 8/Windows Server 2012: Generate CSRs (Certificate Signing Requests)
      Link
  2. Certificate Requests
    • Specifications
      • Bit Length
        • Integration Guide
          Link
        • Is it possible?
          Link

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s