You’ve seen the ads from people charging hundreds of dollars a year to get your website to be secure. You know how critical it is from Google’s point of view. Google actively penalizes websites which are not secure. Many people won’t trust a site without that lock icon in its browser.
But do you really have to pay hundreds of dollars just to get that lock symbol?
NO. You can get your secure version of your website wholly for free. Here’s how.
Step one is to download the WinACME software. This is FREE. It’s available here:
Choose the x64 or x86 version depending on what kind of a server you have. You download the ZIP file and then unzip it on your server. Note that you need actual root access to your server to be able to run this. This is a command-line program which runs in a DOS window.
So download it into a folder and unzip it. One of the files you’ll get is called “wacs.exe”.
Now, load up IIS and make sure all your entries in there for the regular HTTP versions of your websites are set. WinACME is going to use those entries to create its HTTPS versions. Now is the time to make sure everything is in order.
Note that you can regenerate certificates. So this isn’t a do-it-right-or-else situation. Still, Let’s Encrypt has a limit of 50 attempts in a week. So you also want to be judicious about what you’re testing.
So, when you’re ready, double-click on the wacs.exe file.
Yup, a DOS box. You interact by typing letters and hitting ENTER. This is the old school way of working with a computer.
What I highly suggest if you’re just getting started is to go very easy. On this screen click N which is the simply IIS setting. On the next screen click 3 to say you want to do all the sites in IIS on one certificate. It’ll show you the sites it knows about. Use S to use them all.
That’s pretty much it. It’ll generate your certificate. It’ll include all of your sites on it. It’ll show you a confirmation for each step and put it live. It’ll bind each site to that new certificate.
When you’re done, Q for Quit to quit out of the software. Now if you go to IIS and check your bindings for each site, you’ll see a sparkly new HTTPS entry set up for it. You should now be able to go to the secure version of your websites by using a HTTPS at front, like:https://aspisfun.com/
Note that what this software is doing is two parted.
First, it is creating a physical certificate on your server’s hard drive. That certificate is associated with your IIS entries.
Second, it is making a connection with Let’s Encrypt, which is the free open certificate authority behind this all.
Let’s Encrypt doesn’t have actual support, but it does have an active forum. If you have questions, the forum members will chime in to help you out. The documentation can be extremely technical so while you can try to read it, it might be hard to understand unless you live and breathe this stuff.
I’ll note as a critical thing that you should NOT REVOKE certificates. That can lead to all sorts of unhappiness. If you do mistakenly click on the Revoke option, and ignore their warnings, then here’s what to do to undo the revoke certificate damage.
Ask with any questions!