Install a Free Let’s Encrypt SSL/TLS Certificate on Windows Server with IIS

Securing web applications with HTTPS is crucial for protecting data in transit and ensuring user confidence. This guide shows how to install a free Let’s Encrypt SSL/TLS certificate on Windows Server using Internet Information Services (IIS).

You’ll use the win-acme client to request and apply the certificate, bind it in IIS, and configure automatic HTTPS redirection. Optional instructions for Certbot and manual .pfx conversion are also included for advanced scenarios.

Install IIS

IIS is a built-in component of Windows Server that you can enable via Server Manager.

1. Open Server Manager from the Start menu.
2. Click Add Roles and Features.
3. Select Role-based or feature-based installation, then choose your server.
4. On the Server Roles screen, check Web Server (IIS).
5. Add any other required features, then click Install.

After installation, verify IIS by visiting your public server IP in a browser:

http://YOUR-SERVER-IP

You should see the default IIS welcome page.

Create a Simple Web Application

To confirm IIS is serving content correctly, set up a basic HTML page:

1. Open File Explorer and create a folder for your site.
2. Press Win + R, type notepad, and hit Enter.
3. Paste the following HTML code into Notepad:

  




<html>
  <head>
    <title>Hello World</title>
  </head>
  <body>
    <h1>Hello World!</h1>
  </body>
</html>

Save the file as index.html in the folder you just created.

Next, you’ll configure IIS to serve this directory under your domain.

Set Up an IIS Site with Your Domain

1. Open IIS Manager from the Start Menu under Windows Administrative Tools.
2. In the Connections pane, expand your server name, right-click Sites, and choose Add Website.

In the Add Website window, configure:

• Site name: A name to identify the site (e.g., example.com).
• Physical path: Browse and select your site’s folder.
• Binding:
  • Type: http
  • IP address: All Unassigned (default)
  • Port: 80
  • Hostname: Your domain (e.g., example.com)

Click OK to create and start the site.

Verify by opening http://example.com in a browser. You should see your “Hello World” page.

Request and Install a Let’s Encrypt Certificate

You can obtain a free SSL/TLS certificate from Let’s Encrypt using either:

• Win-acme: Recommended for most users; integrates directly with IIS and automates renewal.
• Certbot: Advanced users; provides more control and cross-platform support.

Using Win-acme

Win-acme is a lightweight client that installs certificates into the IIS store and configures HTTPS automatically.

1. Download the latest Win-acme zip archive.
2. Extract it and run wacs.exe as Administrator.
3. If SmartScreen appears, click More info > Run anyway.
4. Press N to create a new certificate.
5. Select your site from the IIS domain list.
6. Press A to apply the certificate to all bindings.
7. Accept defaults (Y to continue, agree to Let’s Encrypt terms).
8. Enter your email address when prompted.

Win-acme automatically:

• Requests and installs the certificate
• Stores it in the Windows certificate store
• Binds it to your IIS website
• Sets up automatic renewal

Once complete, open https://example.com in a browser to confirm HTTPS is active.

Using Certbot

Certbot is a flexible client but requires manual certificate binding in IIS.

Install Certbot

1. Download Certbot for Windows and run the installer.
2. Open PowerShell as Administrator and run:

certbot -d example.com -m admin@example.com --agree-tos --webroot

Enter your site directory when prompted. Certificates are stored as .pem files in:

C:\Certbot\live\example.com\

Convert to .pfx Using OpenSSL

1. Install OpenSSL for Windows.
2. Open PowerShell and navigate to OpenSSL’s bin folder:

cd "C:\Program Files\OpenSSL-Win64\bin"

Convert your certificate into .pfx format:

.\openssl.exe pkcs12 -export `
  -out C:\Certbot\live\example.com\certificate.pfx `
  -inkey C:\Certbot\live\example.com\privkey.pem `
  -in C:\Certbot\live\example.com\fullchain.pem

Import and Bind the Certificate

1. Open IIS Manager.
2. Select your server, then open Server Certificates.
3. Click Import, choose your .pfx file, enter the password, and confirm.
4. Navigate to Sites, select your domain, and click Bindings.
5. Click Add, select https, and configure:

• Port: 443
• Hostname: example.com
• Certificate: Select from dropdown
• Enable Require Server Name Indication

Click OK to apply the binding. Visit https://example.com to confirm the certificate is active.

Redirect HTTP Requests to HTTPS

Use the IIS URL Rewrite module to automatically redirect all HTTP traffic to HTTPS.

Install the URL Rewrite Module

1. Download the URL Rewrite module.
2. Run the installer and finish the setup.
3. Open IIS Manager, select your server, and verify that URL Rewrite appears in Features View.

Create a Redirect Rule in IIS

1. In IIS Manager, expand your server and select your website under Sites.
2. Double-click URL Rewrite.
3. In the Actions pane, click Add Rules.
4. Under Inbound Rules, select Blank rule and click OK.
5. Give the rule a name (e.g., Redirect to HTTPS).
6. Keep Requested URL as Matches the Pattern, using Regular Expressions.
7. Set the pattern to:

(.*)

Uncheck Ignore case.

Add a Condition

1. Expand Conditions and click Add.
2. Set Condition input to:

{HTTPS}

3. Keep Check if input string as Matches the Pattern.
4. Set the pattern to:

^OFF$

Click OK.

Define Redirect Action

1. Scroll to Action settings and configure:

• Action type: Redirect
• Redirect URL:

https://{HTTP_HOST}{REQUEST_URI}

• Uncheck Append query string
• Set Redirect type to Permanent (301)

Click Apply in the Actions pane.

Test the Redirect

Open your browser and go to:

http://example.com

You should be redirected automatically to the HTTPS version.

If the redirect does not work, verify that a web.config file exists in your site root. If it’s missing, create one with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Redirect to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Save the file and test the redirect again in your browser.

Conclusion

In this tutorial, you learned how to secure a website hosted on Internet Information Services (IIS) with a free Let’s Encrypt SSL/TLS certificate on Windows Server. You configured IIS, created a basic web app, installed the certificate using either win-acme or Certbot, set up HTTPS bindings, and redirected HTTP traffic to HTTPS.

With SSL fully configured, your server is now ready for secure hosting. To extend this setup, you can install WordPress on IIS or use PHP Manager to run dynamic applications.