Skip to content

Export Let’s Encrypt certificate in Windows Server

In a previous article, we installed Let’s Encrypt in Exchange Server. Everything works great on the Exchange Server, and a secure connection is showing when accessing the OWA URL. What if you have more than one Exchange Server running in the organization? In this article, you will learn how to export Let’s Encrypt certificate in Windows Server step by step.

You like to export the Let’s Encrypt certificate private key and import it on the other Exchange Servers. You first need to import the private key. This way you will be able to export the Let’s Encrypt certificate in Windows. The next step is to export the certificate.

Let’s Encrypt SSL certificate is not exportable

It’s good to know what happens if you don’t have the private key installed. Let’s see it in action.

Start MMC (Microsoft Management Console) and add the certificate snap-in. Right-click the Let’s Encrypt certificate and click All Tasks. Click Export

Lets Encrypt export certificate private key export option

The certificate export wizard is showing. Click Next.

Lets Encrypt export certificate private key welcome export wizard

The option we need is Yes, export the private key. We can’t select the option to export the private key because it’s greyed out. Click Cancel to go back.

Lets Encrypt export certificate private key not exportable

In the next step, we are going to import the private key. When imported, we will do the same step as we just did. This time we will be able to select the option to export the private key. More on that later in the article.

Find private key password in Win-ACME

Before we can import the private key on the system, we have to get the certificate password. The certificate password can be found in the Win-ACME client.

Go to the Win-ACME folder and start the Win-ACME client. Select A to manage renewals and press Enter.

 A simple Windows ACMEv2 client (WACS)
 Software version 2.1.22.1260 (release, pluggable, standalone, 64-bit)
 ACME server https://acme-v02.api.letsencrypt.org/
 Scheduled task looks healthy
 Please report issues at https://github.com/win-acme/win-acme

 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (1 total)
 O: More options...
 Q: Quit

 Please choose from the menu: A

Select D to show the renewal details and press Enter.

  Welcome to the renewal manager. Actions selected in the menu below will be
  applied to the following list of renewals. You may filter the list to target
  your action at a more specific set of renewals, or sort it to make it easier
  to find what you're looking for.

 1: mail.exoip.com - renewed 1 time, due after 2020/8/8 18:08:45

 E: Edit renewal
 D: Show details for the renewal
 R: Run the renewal
 A: Analyze duplicates for the renewal
 C: Cancel the renewal
 V: Revoke certificate(s) for the renewal
 Q: Back

 Choose an action or type numbers to select renewals: D

Find the certificate .pfx password and copy the password. In my example it’s n8LVJLxx2vQrC3QB2G7cn/mdeMK/RyGMBt8ECq8GYjs=.

 Details for renewal 1/1

 Id:                  xfRT7WjC40mP2rVUt1uybg
 File:                xfRT7WjC40mP2rVUt1uybg.renewal.json
 FriendlyName:        mail.exoip.com
 .pfx password:       n8LVJLxx2vQrC3QB2G7cn/mdeMK/RyGMBt8ECq8GYjs=
 Renewal due:         08/08/2020 18:08:45
 Renewed:             1 times
 Target        -----------------------------------------------------------------
  - Plugin:           Manual - (Manual input)
  - CommonName:       mail.exoip.com
  - AlternativeNames  mail.exoip.com,autodiscover.exoip.com
 Validation    -----------------------------------------------------------------
  - Plugin:           SelfHosting - (Serve verification files from memory)
 Order         -----------------------------------------------------------------
  - Plugin:           Single - (Single certificate)
 CSR           -----------------------------------------------------------------
  - Plugin:           RSA - (RSA key)
 Store         -----------------------------------------------------------------
  - Plugin:           CertificateStore - (Windows Certificate Store)
  - Store:            My
  - AclFullControl:   network service,administrators
 Installation  -----------------------------------------------------------------
  - Plugin:           IIS - (Create or update https bindings in IIS)
 Installation  -----------------------------------------------------------------
  - Plugin:           Script - (Start external script or program)
  - Script:           ./Scripts/ImportExchange.ps1
  - ScriptParameters  '{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}'
                      '{CachePassword}' '{CertFriendlyName}'
 History       -----------------------------------------------------------------

 1: 14/06/2020 16:08:45 - Success - Thumbprint E06F2B82608090BAE540841E3EA9895804951F83

 Press <Enter> to continue

Now that we have the password for the private key, we can import the certificate in the system.

Import private key in Windows

Open the following path to find the certificate.

C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates

Double-click the certificate to start the certificate import wizard.

Lets Encrypt export certificate private key programdata pfx

Select Local Machine and click Next.

The file name path will be filled in automatically. Click Next.

Paste the private key password that you copied in the earlier step. Check both of the checkboxes:

  • Mark this key as exportable. This will allow you to back up or transport your keys at a later time.
  • Include all extended properties

Click Next.

Lets Encrypt export certificate private key password

Click Next to automatically select the certificate store based on the type of certificate.

Click Finish to complete the certificate import wizard.

Certificate import was successful. Click OK.

The next step is to export the Let’s Encrypt certificate. Remember at the beginning of the article, we couldn’t export the certificate because of the private key not being exportable. Will we be able to select the option now?

Export Let’s Encrypt certificate to PFX

Click the refresh button in the toolbar, if you already have the MMC console open. If you want, you can close the MMC and start a new session.

Start MMC and add the certificate snap-in. Right-click the Let’s Encrypt certificate and click All Tasks. Click Export

Click Next.

Export is this time selectable. Click Yes, export the private key and click Next.

Lets Encrypt export certificate private key export

Check the following checkboxes:

  • Include all certificates in the certification path if possible
  • Export all extended properties
  • Enable certificate privacy

Click Next.

Lets Encrypt export certificate private key export file format

Select the checkbox Password. Fill in a secure password that will protect the certificate. You will need the password when importing the certificate. Click Next.

Lets Encrypt export certificate private key security

Click Browse and select a folder that you want to place the certificate in. In my example, it will be in the folder Certs on the C: drive. Make sure to write the name including PFX format.

Click Finish to complete the certificate export wizard.

The certificate export was successful. Click OK.

Lets Encrypt export certificate private key finished succesful

Start File Explorer and browse to the exported certificate. This is the exported Let’s Encrypt certificate including the private key.

Lets Encrypt export certificate private key file explorer

Let’s Encrypt certificate private key is successfully exported in Windows Server. Now that you have the certificate you can import the certificate in another Exchange Server.

Conclusion

In this article, you learned how to export Let’s Encrypt certificate private key. It’s good to export the certificate and import the certificate on other  Exchange Servers. Find the password by starting the Win-ACME client. Install the private key with the password. After that, the certificate is exportable. You should not request a certificate per Exchange Server. One certificate can be installed on all the Exchange Servers.

I hope you enjoyed this article. You may also like Outlook search bar moved to top. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 10 Comments

  1. Thank you very much!
    Very good instructions! The private key trick is not described everywhere. Cool!

  2. Folks, i have a question..

    I you export the cert from the exchange server and upload it to the Kemp Load Balancer, will this exported cert renew automaticaly when the Exchange Server renews his cert? If not, we are forced to export the cert from Exchange and import to the load balancer every 30 days.

  3. THANK YOU!!!!!

    I really appreciate the time you take to make this article and many others that have been extremely helpful!

  4. Has someone been able to automate this?
    I would like to automatically export/import/assign the script to an Edge server.

    My guess is this should be possible by tweaking the Scripts/ImportExchange.ps1 script.

    Thanks for any input!
    Ashley.

  5. The first time, I have had little trouble to implement LetsEncrypt using the WACS tool
    Today I started with the first renewal process and the renewal went flowless. The issue I have now is that the .pfx password is not being recognized when trying to import the certificate of convert with OpenSSL.
    Any idea where I am going wrong?
    Appreciate your feedback

  6. Hello

    Your article helped me quite a lot thank you. But how would you automate this? If we have multiple Exchange Servers we would have to do this on every renewal again?

    Thank you

    1. For multiple exchange and edge, u just need to add their name where it ask and also after getting the cert, just import it to other servers.

Leave a Reply

Your email address will not be published. Required fields are marked *