This article shows you how to generate an SSL certificate for your website on your own computer (running Windows). The certificate will be free, and comes from a recognized certificate authority known as Let's Encrypt.
Before you rush into it, you should note a few things.
The certificate can only be generated for a website that you own and control, and which is already accessible on the Internet. For example, you cannot get a Let's Encrypt certificate for someone else's website, nor can you generate a cert for a site that you are planning to set up in the distant future, but don't actually have at the moment. And if you are a programmer, note also that Let's Encrypt does not provide certificates for code signing (not at the time I wrote this, anyway), so you can't use it to digitally sign the programs you write.
That said, your website can be completely new, with no content published yet. That part does not matter. What is needed is that the Let's Encrypt service can connect to your website, which means that you must have already obtained a domain name for it, and pointed it to an account on a web host. If you don't understand what I just said in this paragraph, please read How to Create a Website for an explanation of the terms used.
You need to be able to create directories (ie, folders) on your website and upload (ie, transfer) one or more files. This can be done either with a computer program known as an FTP client, or through the web host's control panel for your website. The latter method is only possible if the control panel has some sort of file manager. If not, then you should use an FTP client. And, obviously for the latter to work, your web host need to have given you FTP access.
I have a separate tutorial on how to use an FTP client called FileZilla to upload files to your website, and will not repeat the information here. If you don't know how to use any FTP software, please read that tutorial as well.
Some commercial web hosts already allow you to set up HTTPS for your site free of charge. Often, all that is required is for you to log into the site's control panel and enable it by ticking a checkbox or something like that. If so, you do not need to do any of the things mentioned here. In fact, if the web host already provides access to the free Let's Encrypt certificates, it is usually much easier to just use their implementation, since it means that they will automatically renew the certificate when it is near its expiry date, and install it for you.
Even if your web host does not give you a free SSL certificate, they must provide a way for you to install one, otherwise there's no point generating the cert. This is often done either via your control panel, or, in the case where you have a dedicated web server or a VPS, by manually uploading and tweaking the web server configuration files.
This tutorial only deals with the generation of the SSL cert.
If you find the process described here too difficult, for example because you think using the command line is very intimidating, another way is to use one of the Free SSL Certificates services around. Those allow you to generate the certificate via an online web form.
As mentioned in the title of the article, I will assume that you are using Windows. I don't have a Mac, so unfortunately I can't give you the equivalent instructions for that.
It may be a good idea to take a look at the article on How to Convert Your Website to SSL, since the basic concepts, as well as the pros and cons, are explained in that article. I will assume that you know those things here, so if you are not sure, please read it first, or, at the very least, read the section on Benefits and the one on Disadvantages.
Although there are many free software for generating Let's Encrypt certificates, the one I will describe here is known as Crypt-LE.
Go to the Crypt-LE releases page. Scroll down to the "latest release" entry, and look for the links under "Assets" for that section.
If you are running a 32-bit version of Windows, click the "le32.zip" link to download
the file. If you are running a 64-bit version of Windows, click the "le64.zip link
instead. If you are not sure which version you have, get "le32.zip", since
it should work on both 32 and 64 bit systems. That said, if you have a fairly modern computer, I suspect
that it is probably running 64-bit Windows.
If you are prompted for where to save the file, save it to your desktop.
If your browser doesn't prompt you (because you failed to configure it to always prompt), it will save
it to a default location somewhere on your system. For example, if you use Microsoft Edge, the default location
is something like "c:\Users\christopherheng\Downloads", with your Windows account name specified
after "Users", instead of my name. If so, drag the file from that location to your desktop.
Note that if you see a file called "le32" or "le64" on your desktop instead of "le32.zip" or "le64.zip", it means that you did not configure Windows to show you the full filename. Instructions for this, if you are interested, can be found in How to Force Windows Explorer to Always Show You the File Extensions. In general, especially if you are a webmaster, it's best to be able to see the full filename, extension and all, otherwise you may end up making potentially catastrophic mistakes that are easily avoided.
Prepare your website by connecting to it in your FTP program, and creating a folder called ".well-known"
(without the quotation marks) in your top web directory. Notice that the name begins a dot, and is completely in
small (lower case) letters, with no spaces anywhere. As mentioned above, see my
tutorial on FileZilla
if you need help on using an FTP software. To create a directory in FileZilla, right-click a blank space somewhere
in your website's pane (usually the right hand side once you connect to the site) and select "Create directory" from
the pop-up menu that appears. Then type ".well-known" (without the quotation marks)
into the dialog box that appears, and click "OK".
Doubleclick the ".well-known" directory in your FTP program to enter it. Now create a directory
called "acme-challenge" (without the quotation marks) in that empty directory.
That is, by the end of this step, the folder ".well-known" will contain another folder
called "acme-challenge". Make sure the folder names are exactly as I specified. Do not change
the capitalization, spelling or add spaces or anything like that.
Test that you have created the folders in the correct place by connecting to your website in a browser.
For example, if your site is www.example.com, type "http://www.example.com/.well-known/acme-challenge/"
(without the quotation marks) into the browser's address bar. The browser should show you an empty directory,
or a "Forbidden" error (depending on
whether your
site is set up to show directory listings). If so, go to the next step.
If you get a "File Not Found" message, or words to that effect, it means that you have created the folder in the wrong location. (Alternatively, you could also have named the folder wrongly, or perhaps even made a typo when you typed the address into your browser.) Return to step 1 and fix the error before continuing.
Leave your FTP client running. You will need it again later. Minimize the window for now (that is, click the "_" button on the top right hand side of the window). I say this, so that you don't mistakenly do the next step in the FTP program.
Create a folder somewhere on your desktop. Note that I'm now referring to your Windows desktop, not your FTP program. (Actually, the new folder doesn't have to be on your desktop, but for simplicity, I will assume that you created it there.) To do this, right click a blank space on your Windows desktop, click "New" on the menu that pops up, followed by "Folder".
Windows will create a folder called "New folder". Change the name of the folder to "cert" (without the quotation marks).
Doubleclick the folder to open it. It will be empty.
Open the Crypt-LE file that you downloaded earlier (either "le32.zip" or "le64.zip") by doubleclicking it. You will see a single file, "le32.exe" or "le64.exe" (depending on which file you downloaded) inside. Again, you won't be able to see the file extensions unless you have changed Windows's default setting.
Drag that file into the "cert" folder that you created earlier.
Now open a command prompt. To do this, click the Start menu icon at the bottom left of your screen.
Type "cmd" (without the quotation marks). At the top of the screen, you should see an entry that says "Command Prompt". Click it to launch it.
A black window with the title "Command Prompt" will appear. You will be deposited at a command line with
words like "C:\Users\christopherheng>" (although instead of my name, you should
see your Windows account name) next to a blinking text cursor.
Type "cd desktop" (without the quotation marks), and hit the ENTER key. This takes you to your desktop,
although you won't see much difference except that the prompt now starts with
"C:\Users\christopherheng\Desktop" (again, with your account name instead of mine).
On the command line, all commands have to be followed by the ENTER key before they will be acted upon. The Command Prompt program won't do anything until you have actually hit ENTER. This gives you a chance to use Backspace to correct errors, or even use the ESC key to erase the entire line.
Type "cd cert" (without the quotation marks), followed by ENTER. This takes you into the "cert" folder
that you created earlier. The prompt should now show something like "C:\Users\christopherheng\Desktop\cert".
At present, the folder only contains one file, "le32.exe" or "le64.exe". You can easily see what's in the folder by typing "dir" (without the quotation marks), followed by the ENTER key. The command "dir" shows you a list of the contents of the current folder, sort of like an office building directory showing you a list of all the tenants. Do this now, so that you can get more familiar with how the command line works.
Before you do the next step, decide the
domain names which you want
the SSL certificate to contain. For example, if your website is located at example.com, but
you also want it to be accessible by www.example.com, then you want the cert for 2 names:
example.com and www.example.com.
If you only want the certificate for one domain name, eg, example.com, type the following
on the command line, substituting your domain for example.com and your email address
for "your-email-address@example.com". And if you have downloaded the 32-bit version,
type "le32.exe" instead of "le64.exe".
Important: the above is a single line, even if your web browser breaks it up into multiple to fit your screen. Type it as a single line, and don't hit the ENTER key until you have verified that it is correct. Make sure you change the email address and the domain name.
If you want the certificate for 2 domains, (say) example.com and www.example.com, type the
following instead. Once again, substitute your email address and domain names for the example.com placeholders,
and use "le32.exe" instead of "le64.exe" if you are using the 32-bit version. Remember
again that the following is a single continuous line, even if your browser breaks it up into two or more to fit
the screen.
The email address is used by Let's Encrypt to remind you when the certificate is about to expire. From what I recall, you will get a reminder something like 20 days before the cert expires, and, if you haven't generated a new one by then, another reminder 10 days before expiry. I'm not sure if there are any more reminders after that, since I have never waited that long to get a new cert.
Once you hit the ENTER key, the program will connect to the Let's Encrypt service. It will print out what it's currently doing as it does this, so that you know what's going on. After a while, a message saying something like the following will be printed out on your screen:
Challenge for example.com requires:
A file 'abcdefghij' in "/.well-known/acme-challenge/" with the text: abcdefghij1234567890
When done, press <Enter>
The real filename and text given will be different (and much longer) than the illustration above. Do NOT press ENTER yet. Go to the next step.
Start up a plain text editor. If you are not sure what I mean by this, run Notepad, which comes with Windows. (Note that Microsoft Word, Office, Open Office, Libre Office and such software are NOT plain text editors. Any software that allows you to do things like underline text or put words in bold or italics is not a plain text editor. If in doubt, use Notepad.)
To run Notepad, click the Start menu button at the bottom left corner of your screen, and type "notepad" (without the quotation marks). Click the Notepad entry that appears at the top of the Start menu in response to your typing. This will open an empty window.
Switch back to the command prompt. Move your mouse pointer and select the text following
the words "with the text:" (that is, the equivalent on your screen of my example
"abcdefghij1234567890"). By this, I mean that you should move your mouse pointer
so that it hovers over the first character of the string that you want, click the left mouse button,
and while holding down the button, "drag" (ie, move) the mouse over the rest of the text so as to
highlight them.
Your screen should now look something like this:
Challenge for example.com requires:
A file 'abcdefghij' in "/.well-known/acme-challenge/" with the text:
abcdefghij1234567890
When done, press <Enter>
Hit the ENTER key. The highlighting will disappear, but the text has been copied into your clipboard, allowing us to paste it in the next step.
Switch back to Notepad. Click "Edit" from the menu bar, and "Paste" from the drop-down menu that appears. The text you selected and copied earlier should appear. If it does not, delete everything in the Notepad window, and return to the earlier step to copy again. It's possible that you accidentally hit a key other than ENTER, causing the copy operation to be aborted. Just redo it again. (Don't be tempted to type it manually. It's really much easier and less error-prone to copy and paste than to type that long string of gibberish manually)
Click "File" from the menu bar, followed by "Save as..." from the drop-down menu. A dialog box with
the title "Save As" will appear. Navigate to your desktop (eg, by clicking "Desktop" on the left side of
the dialog box), but don't save anything yet. After navigating there, click the "Filename" field once, to
select it. The "*.txt" contents of that field should be highlighted after this step.
Switch to the Command Prompt window again. Select the filename, which is the text in single quotation
marks just after the words "A file" (see the illustration below). Don't select the quotation marks
themselves, just the enclosed long string that comprise the filename. Note that this text is not the same
as the one you copied earlier (or rather, the one you copied earlier consists of
both this string and additional characters), so you can't reuse what you have currently in the clipboard.
Your window should look something like this, after selecting the filename:
Challenge for example.com requires:
A file 'abcdefghij' in "/.well-known/acme-challenge/" with the text: abcdefghij1234567890
When done, press <Enter>
With the filename highlighted, hit the ENTER key to place it into the clipboard.
Switch to Notepad. You should still be at the "Save As" dialog box, with "*.txt" highlighted in the Filename field.
Paste the text from the keyboard into the Filename field, by entering Ctrl+v. By "Ctrl+v", I mean, press the "Ctrl" key on your keyboard, and while still holding it down, type "v" (without the quotation marks). (Ctrl+v is the standard keyboard shortcut to perform a Paste operation in Windows.)
The filename you copied earlier should appear in the "Filename" field. Click "Save", then close Notepad.
Switch to your FTP program. It is probably showing the contents of the ".well-known" directory on the remote end (ie, your web server) at the moment. Doubleclick the "acme-challenge" directory to enter it.
Upload (ie, transfer) the file that you just created. You will probably have to navigate to your desktop on the local end (the panel showing your computer's side of things, if you are using FileZilla), so that you can upload it.
Once that is done, you have to let the Let's Encrypt service know that you have done your bit, and that it can try to retrieve the file from your website. This is necessary so that Let's Encrypt knows that you have control over the website you're trying to get the cert for.
To do this, return to the Command Prompt window and hit the ENTER key. (And wait.)
If you have a second domain listed, Crypt-LE will prompt you again to create a file for it. This will be a different filename with its own unique content. Essentially, you will have to repeat the process for every domain listed on the command line.
For each successful domain name verified, Crypt-LE will display a message that looks something like this:
2021/05/25 10:00:01 Domain verification results for 'example.com': success
2021/05/25 10:00:01 You can now delete the 'abcdefghij' file.
The numbers on the left, as before, are merely the current date and time.
Finally, when everything is done, it will say words to this effect:
2021/05/25 10:00:01 Requesting domain certificate.
2021/05/25 10:00:02 Requesting issuer's certificate.
2021/05/25 10:00:02 Saving the full certificate to domain.crt.
2021/05/25 10:00:02 The job is done, enjoy your certificate!
The filename "domain.crt" is merely the name you specified on the command line earlier. If you used a different filename from what I suggested, it will show that instead.
Return to the FTP program. Delete the files that you uploaded to the "acme-challenge" folder. There's probably no point deleting the ".well-known" and "acme-challenge" directories, since you will need it again in less than 90 days, when you generate new certificates to replace the current ones. Let's Encrypt certificates expire every 90 days, so what you just did will be a regular ritual.
As mentioned earlier, the procedure for installing the certificate varies according to the web server your site is on, your site's control panel and your web host. That said, no matter which server or web host you are using, you will still need to know where your certificates are.
When you complete the above procedure, you will find a few files in your cert directory:
This file contains 2 certificates, both of which will need to be installed on the web server. Each certificate is demarcated by a "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" pair. The first is the certificate for your website, and the second is the certificate authority bundle, often referred to as the "CA bundle".
This file contains your private key. This key will also be installed on your web server. Important: do not publish your private key anywhere. If your private key ever leaks out, your certificate is compromised, and will need to be replaced.
This is just your Let's Encrypt account key. You won't need to give this to your web host.
This file contains your request to Let's Encrypt for the certificate (essentially, it contains the relevant parts of what you typed on the command line, formatted in a manner required by a Certificate Authority). It is no longer needed and can be deleted.
Let's Encrypt certificates expire every 90 days, and you will need to renew it before then. If you have submitted a valid email address on the Crypt-LE command line, their automated service will remind you of your expiring certificate approximately 20 days before the last day, giving you time to generate a new set. You can of course choose to renew it even earlier if you wish. Their website actually recommends that you renew it every 60 days, that is, 30 days before expiry.
Note also that when I say "approximately 20 days", I really mean it. I have once received the notice 19 days before expiry. It is possible that the time the notice is sent depends on the server load on Let's Encrypt's end, so I recommend that you keep track of your certificate's expiry date yourself, just in case the reminder is very late or lost in transit.
To renew the certificate, all you need to do is to repeat the above procedure. You can delete the
old "domain.csr" and "domain.key" from your "cert" directory beforehand
if you wish, since Crypt-LE will generate new ones for things that are missing. The old "domain.crt"
will always be overwritten by the new one.
Leave your old "account.key" file in the directory, since this is just your account at Let's Encrypt.
(That said, if you have accidentally deleted that file as well, Crypt-LE will just register you for a new account.
From what I can tell, I suspect that none of the old files are actually vital for a renewal, so don't panic
if you have deleted everything.)
That's it. As you can see, the whole procedure of generating the certificate is actually quite painless.
Copyright © 2021-2022 Christopher Heng. All rights reserved.
Get more free tips and articles like this,
on web design, promotion, revenue and scripting, from https://www.thesitewizard.com/.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.
It will appear on your page as:
How to Generate the Free Let's Encrypt SSL Certificate on Your Own (Windows) Computer
