How to get an certificate on Windows with Certify The Web

How to request an SSL certificate (that includes wildcard domains!) and automatically renews for you, and you can use it on the FREE Infinity tier.

I recently had a couple of threads on the support forum asking various questions about SSL certificates, how to obtain ones for multiple domain names etc, and there were several people (including the admin!) who seemed interested in how I had managed to get a wildcard certificate without needing to be on the premium tier, as this is something that even infinityfree are limited by as it is their provider, iFastNet, that (presumably) are handling the SSL and infinity have just hooked into that.

As we all know, as long as your certificate is 2048bits or under, you can upload your certificate/key pair via the cPanel. This is effectively how I got a wildcard certificate. I didn’t use InfinityFree SSL generation tool to get a Let’s Encrypt certificate, but instead I found another tool that obtained my Let’s Encrypt certificate for me.

No 3rd party domain providers are required! You don’t even need to add TXT records, or other such validation methods to verify you own the domain. The tool I use (which is effectively the Windows equivalent of CertBot, the Linus tool that Let’s Encrypt gives you to encode, request & manage your certificates) - Now, the question the admin asked was, did I manage to set up auto renewal, because this requires ACME authorisation which needs to add a TXT record to your domain, which changes upon every renewal - so unless your DNS provider has an API to do this, you have to do it manually.

The quick answer is yes! There are a bunch of DNS providers listed in my tool. which provide APIs so that the tool can do this itself. However, mine (and Infinity) is not on that list. My DNS does have an API, but it’s not listed in the tool so I cannot use it, and Infinity doesnt have one.

But you don’t ned any of that! All you need to do is add a CNAME record for each domain you are requesting a certificate for! And you can do that within your InfinityFree cPanel (or whatever DNS host you use)

This acme-dns service wraps up the Let’s Encrypt TXT process! So instead of having to manually enter those annoying strings into your DNS every 90 days, the above CNAME handles it all for you, automating the renewal.

HOW TO GET YOUR SSL CERTIFICATE
1. Download and install the Certify The Web Windows tool. https://certifytheweb.com/home/download
2. Add your site - you do not need to add an IIS site, that is purely to install your certificate if you happen to be running the tool on a Windows Server host. But remember to mark your domain as primary, and add the wildcard variant as well.
So in the Add Domains To Certificate: text box, you would put example.com, *.example.com and click the plus button, then in the list that appears below, mark example.com as the primary domain. You can add as many domains as you like (I haven’t tested this multiple domain feature with Infinity yet - but you still need a primary domain marked).
3. Click the ADVANCED tab above, choose Certificate Authority and select Let’s Encrypt from the list.
4. Click the AUTHORIZATION button on the far left (if there is a tab open here, click the → arrow at the top and the tab will fold in, showing the Certificate, Authorization, Deployment etc buttons. In the Challenge type drop down list, select dns-01 as the challenge type, and in the DNS Update Method, select acme-dns DNS API from the list (it is the one at the top).

Now you are ready to click the TEST button! The tool will simulate the certificate request, and generate a list of errors for every domain you added. Click the main error line at the top of the panel that just popped out on the right of the tool. It will unfold to reveal your error(s) (which is simply telling you that DNS authorization has failed, which we expect, since we haven’t set it up yet!).
Now, If you click each error, it will copy the DNS record that you need to add for that domain into the clipboard. It will look something like this:

acme-dns DNS API :: [Action Required] To complete setup, add a CNAME record in your DNS:
_acme-challenge.example.com
with the value:
b80e70b4-b0c5-4245-bf4e-4033c71a759e.auth.acme-dns.io

Now you need to go to the CNAME section of the Infinity cPanel (or edit the DNS record for the domain at your own domain host) and add in the SOURCE field the label _acme-challenge and in the DESTINATION field the value with the long string ending with acme-dns.io

Do this for each and every domain you added into the certificate (remember at the moment I am assuming Infinity only lets you add one domain and its wildcard per certificate, but I shall be testing multiple ones shortly).

5. Now you are ready to generate your certificate! Just hit the REQUEST CERTIFICATE button. When you are finished, the certificate files will be installed onto your computer - you can view it in the certificate manager (I suggest you delete it from here anyway).
The key and cert (PEM) can be found at %ProgramFiles%\certify\assets\ and you can open the certificate/key in Notepad++, and copy the bit between and including:

---- BEGIN CERTIFICATE
and
----- END CERTIFICATE

Paste these into your cPanel in the SSL/TLS menu!

Job done :smiley:

3 Likes

A few important side notes to anyone reading this:

  • The tool can automatically get a new certificate, but not install it to your hosting account. You still need to do that by hand, so it’s not 100% automated.
  • This tool can create multi domain certificates and wildcard certificates, but there is no much point to them. The first domain name in the certificate MUST match the domain name you’re installing it to, so you’ll need separate certificates for all your domain names anyways.

All in all, this tool isn’t substantially different from our own Free SSL Certificates tool. But if you prefer doing the certificate management with a desktop application instead of a web interface, you can use this guide.

3 Likes

Thanks for the update Mr Admin. I shall be modifying my instructions anyway so I will add that in. After I created this post, there were other things I wanted to put into it, but I couldn’t find it I my list of created posts (presumably because this board needs posts to be approved, so you can’t edit until that’s been done).

I need to add instructions on copying the certificate into a directory on your computer - the tool has an option to write PEM & CRT files directly to the C drive and turn off installing it into the local machines certificates.

You cannot have multi-domain certificates on InfinityFree. Yes it’s possible to do, but no you cannot use them here. However, a collection of subdomains is perfectly acceptable. And handy if you know exactly which ones you want to use https with.

However, I find a wildcard perfect for my needs. Don’t need a whole new certificate just because I’ve added a new sub domain. Yes, let’s encrypts short renewal period means you’ll have to get new ones sooner rather than later, but having to manually do it all again is a pain. Doing it this way takes all the hassle out of it, I get an email when the tool automatically renews my certificate(s). Then I go to the directory on my local machine C drive, and just copy the autogenerated file text and paste it into cPanel.

Ultimately I think the real reason I’ve ended up doing my certificates this way is simply because I cannot use InfinityFree nameservers.

I have my own MX records that will be a pain to shift over, and also I need to create DNS records of a type that cannot be edited in the cPanel (I believe we can only do CNAME and possibly MX?)

But if you add the subdomain here, you’ll still need a separate certificate for the subdomain, so all the additional domain names are useless. At least, as far as I know.

Unless I’m mistaken about that as well, of course. Do you have two subdomains here using the same certificate?

You don’t need to use our nameservers to use our Free SSL Certificates tool. The only requirement is that you need to be able to set a CNAME record in your DNS. This can be done almost anywhere, and if you can’t, then Certify The Web won’t work either.

MX records do work, and you can add some TXT records through the SPF Records tool. Only DKIM and DMARC can’t be setup.

3 Likes