Installing Let's Encrypt certificates on Windows Server
Overview
Windows Server Remote Access Services such as Remote Desktop Gateway and Remote Access VPN require a certificate issued by a Public Certification Authority.
The certificate is used to encrypt the traffic between the client and server, as well as to authenticate the server (not the client). It is possible to use the self-signed certificate, but in such case you will have to install it on each device of your users.
There is a free alternative to — Let's Encrypt service where you can get a valid certificate for free in a few minutes.
Win-Acme
To work with the certification server you should download the Win-Acme client. The client is distributed free, the source code is available in GitHub.
Client installation
Download the latest version of Win-Acme from https://github.com/win-acme/win-acme/releases, trimmed option. Unpack the archive on the Windows server where you need to install the certificate.
Install the certificate for SSTP VPN
Before installing, make sure that
- the server address is in DNS
- The server has the Direct Access and VPN (RAS) role installed
Run the script.
wacs.exe --target manual --host vpn.example.com --certificatestore My --installation iis,script --installationsiteid 1 --script "Scripts\ImportSSTP.ps1" --scriptparameters "{CertThumbprint}".
where vpn.example.com
— your server address.
Installing a certificate for Remote Desktop Gateway
Before installing, make sure that
- the server address is in DNS
- Remote Desktop Gateway role is installed on the server
Run the script.
wacs.exe --target manual --host rds.example.com --certificatestore My --installation iis,script --installationsiteid 1 --script "Scripts\ImportRDGateway.ps1" --scriptparameters "{CertThumbprint}".
where Rds.example.com
— your server address.
Certificate update
Note that the Let't Encrypt certificate is issued for 3 months, but the installation script creates a task in Task Scheduler for automatic updates.
See also: