This is a guest post graciously provided by Adam Gross (@AdamGrossTX). Thanks Adam!
| Adam has been a Desktop Architecture Analyst in his day job since 2004 where he shares management duties for a ConfigMgr infrastructure which supports ~9000 clients.
While he doesn't consider himself an expert in any field, he is proficient enough in ConfigMgr, SQL, PowerShell and C# to build creative solutions to streamline processes as part of his continual improvement strategy.
When he's not chasing his 3 small children, he tries to give back to the systems management community through his blog http://www.asquaredozen.com and on Twitter @AdamGrossTX.
Home Lab: Options for free public TLS/SSL Certificates
If you're like me, your home lab is built with leftover parts and anything you can pull together to make it happen and you likely don't have the budget to spend on an TLS/SSL certificate, especially if you only need to use it on occasion to test a few things. While using a self-signed certificate works for many things, I recently found that some automated processes don't work because they can't validate a self-signed certificate. In my case it was Windows 10 AutoPilot user authentication using AD FS. I know I could have chosen a different authentication option for AutoPilot, but I really wanted to test with AD FS, so I went looking and found some free options.
Sourcing Free Certificates
I did some searching and found several companies offering various free certificates, many of which were only single name or trial certificates offered by paid sites. The more I dug, the more I found sites pointing back to Let's Encrypt. Let's Encrypt is a free certification authority that is trusted and can be used to create public certificates. You can read more about them here or visit their website.
Let's Encrypt was built for UNIX, but their API is open source which allows developers to build tools for other platforms while still providing certificates with the same level of public trust as if directly generated by Let's Encrypt. There are many services that use the LE API to generate and manage certificates. I spent a few days trying some of them out (really just trying to get any one of them to work!). They all had similar functionality – you run a script/GUI on your server and it creates some verification files in IIS that it passes to the LE API for verification. Once verified, you are issued a certificate. The biggest drawback I can see about free vs paid certificates is that the free certificates must be renewed every 3 months.
Two of my favorite tools include:
- Windows ACME Simple (WACS) – a command line interface
- Certify SSL Manager – A nice GUI that manages automatic renewals.
After much frustration and many unhelpful error messages, I discovered that, even though I could access the verification URLs internally, the LE API was trying to get to my lab web server over port 80 and was being blocked by my ISP, so the tool kept failing to generate certificates. I was beginning to think this wouldn't work when I found a site that offered manual verification using DNS TXT entries instead of local IIS verification files which I ended up using: SSL For Free (I am not advertising for them, this is just the service that worked for me!).
Requesting a Let's Encrypt Certificate
If port 80 is not blocked for you, you can certainly use any of the other LE API based tools/scripts including SSL For Free to do file-based verification through Port 80. These steps will walk through using SSL For Free to create DNS TXT record on with your external DNS provider for verification.
Note: If you have Google Chrome installed, the site suggests using it, but it isn't a requirement, you just get an error message when it attempts to auto-download the certificate.
- Visit SSLForFree.com.
- Click Login in the upper right to create a new account.
- Click on the logo in the upper left to return to the home screen.
- In the entry form, enter the URLs for each of the alias(es) that you want to include in the cert. Separate entries with a space. The first entry should be your primary alias. If you only enter your root domain name, the www prefix for your domain will also be included as an alternative name in the certificate.
- Click on Manual Verification (DNS) then Click Manually Verify Domain.
- Follow steps to add DNS entries. Be sure to set the TTL on the TXT records to 1 second.
- Once created, allow time for entries to propagate then test using the Verify links provided in Step 3.
- You will notice a checkbox that allows you to upload your CSR (Certificate Signing Request). You can generate one from IIS or from your Certificates MMC add-in, but I didn't have very good luck with it and couldn't find information on the expected CSR configuration.
- Click Download SSL Certificate.
- You will receive a ZIP file containing your certificate, a private key and the certificate chain. The certificate will need be converted to a PFX before it can be used for SSL signing in AD FS.
Note: You can login and view any certificates you have requested to renew, revoke and delete them as needed. There doesn't appear to be an option to re-download a certificate, so if you need another copy, you will have to renew it.
Converting .CRT files to PFX
While you can import the CRT files directly
into your local machine certificate store, you won't be able to use them to secure IIS until they have been converted to PFX format.
- Download OpenSSL. The version I got from the OpenSSL site said it needed to run on x86 so I searched and found an x64 version.
- Open a command prompt and change directory to the location of openssl.exe. Run the following command:
openssl pkcs12 -export -out "certificate_combined.pfx" -inkey "private.key" -in "certificate.crt" -certfile ca_bundle.crt
- Now use on your external facing IIS site(s) that use the alias(es) you registered.