Using Let's Encrypt Certificates for TLS
Question asked by Rafael Grecco - 10/7/2020 at 7:33 AM
Answered
Hi,

I just configured a new server (homologation environment) with all security protocols enabled - HTTPS, DKIM, DMARC and TLS.

I would like your input if DMARC is worth using or not. I've read that there are a lot of problems with it. Do you guys use it?

I also would like to know if any of you have experience using Lets Encrrypt for TLS. I use Lets Encrypt with "Certify The Web" software to automate the renewing process. It works wonderfully for ISS.

So I used the same certificate to enable TLS. I followed these steps: Open MMC -> Export certificate issued by Lets Encrypt to some folder -> Configured Smartermail's bindings to use that certificate.

Eveything is working flawlessly, but my question is if I have to repeat this manual process every time the certificate is renewed.

If so, is there a way to automate this process?

Thank you!
Robert Simpson Replied
I created a Scheduled Task that runs once a day, which exports the TLS cert to a PFX file that SM points to for TLS/SSL encryption.
That way the Certify the Web app is renewing every 30 days or so, and this scheduled task automates the export to file.

Heimir Eidskrem Replied
Would you mind posting your script for the export??

Robert Simpson Replied
Marked As Answer
The Task Scheduler executes a .bat file that looks like this:
Powershell.exe -executionpolicy remotesigned -File C:\Smartermail\ExportCert.ps1
The Powershell script looks like this:
//* MAKE SURE to modify the 3 areas that require it: mail domain, password and path to the PFX on your server 

(Get-ChildItem -Path cert:\LocalMachine\My |
Where-Object {$_.Subject -match "mail.mydomain.com"} |
Sort-Object -Property NotAfter -Descending |
Select-Object -first 1) | Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p','mypassword',$_.Thumbprint, "C:\SmarterMail\mail.mydomain.com.pfx")}

Rafael Grecco Replied
Robert, thank you very much!
Heimir Eidskrem Replied
Thank you so much Robert.
I setup letsencrypt using win-acme.
Needed to create the export and was looking for a script.
Perfect timing...

H.


Kyle Kerst Replied
Employee Post
I am happy to hear you were able to get this resolved. For future reference this process is detailed in the following KB article: 


Once set up the certificate renewal, export, and binding should all be automated using those steps. I do recommend you check in on this process periodically to ensure things are running smoothly.
Kyle Kerst Acting IT Manager SmarterTools Inc. www.smartertools.com
Heimir Eidskrem Replied
Thanks Kyle,
Very helpful and great timing.


Reply to Thread

Enter the verification text