Manual Certificate Renewal Workflow

When using Certbot on Windows, the standadr standalone renewal process requires port 80 to be available. If IIS is currently occupying that port, you must temporarily halt the web service.

1. Service Suspension and Security Adjustment Disable the web server and temporarily lower the firewall to ensure the ACME challenge can communicate with Let's Encrypt servers.

   # Stop IIS Service
   Stop-Service W3SVC
   
   # Disable Firewall temporarily
   netsh advfirewall set allprofiles state off
   

2. Verification and Renewal Check the status of existing certificates and initiate the renewal process.

   certbot certificates
   certbot renew
   

3. Restoring Services Re-enable the firewall and restart the web server immediately after the renewal succeeds.

   netsh advfirewall set allprofiles state on
   Start-Service W3SVC
   

4. Converting to PFX Format IIS requires certificates in PFX (PKCS#12) format. Certbot generates PEM files by default. Use OpenSSL to bundle the private key and the full chain.

   openssl pkcs12 -export -out C:\Certificates\deploy_bundle.pfx -inkey C:\Certbot\archive\yourdomain\privkey1.pem -in C:\Certbot\archive\yourdomain\fullchain1.pem
   

5. IIS Integration Import the newly created .pfx file through the IIS Manager under 'Server Certificates' and update the HTTPS site bindings for your specific web site.

Automated Renewal Scripting

To eliminate manual intervention, create a PowerShell script to handle the service toggling and conversion logic. This script can be scheduled via the Windows Task Scheduler.

# Path: C:\Scripts\RefreshCert.ps1

Write-Output "Beginning SSL Renewal..."

# Stop IIS to free port 80
iisreset /stop

# Execute Certbot
& "C:\Program Files\Certbot\bin\certbot.exe" renew --quiet

# Restart IIS
iisreset /start

# Note: Manual PFX conversion and binding updates are still required 
# unless using advanced PowerShell modules for IIS (WebAdministration).

Set a scheduled task to run this script with "Highest Privileges" once every 60 days.

Zero-Downtime Renewal via Webroot Plugin

The Webroot method is preferred for production anvironments because it validates domain ownership by placing a temporary file in the web server's directory, avoiding the need to stop IIS.

1. Configure IIS for Extensionless Files

IIS must be configured to serve the ACME challenge files, which do not have file extensions. Create or modify the web.config file inside the .well-known/acme-challenge directory:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>

2. Execute Webroot Renewal

Run Certbot with the --webroot flag, pointing to the physical path of your website content.

certbot certonly --webroot -w C:\inetpub\wwwroot\mysite -d mysite.com -d www.mysite.com

Alternative Tooling: win-acme

While Certbot is widely used, win-acme (formerly Let's Encrypt-Win-Simple) is a native Windows CLI specifically optimized for IIS. It automates the entire lifecycle, including:

• Scripting the ACME challenge.
• Creating the PFX file.
• Importing the certificate into the Windows Certificate Store.
• Automatically updating IIS HTTPS bindings without manual script intervention.

For most Windows-centric environments, win-acme is the recommended path for a set-and-forget implementation.