ACME protocol can be used for Windows web servers and other services as well. Since
certbot supports binding only to
Ngnix servers, we will use another available tool
win-acme - Windows ACMEv2 client, which enables to manage the certificates on
IIS Windows web servers, Exchange servers or enables the use of custom scripts to automate certificate issuance and renewal in Windows server environments.
For more information about
win-acme, refer to the win-acme documentation.
certbot can be used to manually manage certificates for Windows server. You need to create your own automation scripts in order to achieve automated binding with the
win-acme with CZERTAINLY, you need to have the following:
win-acmeinstalled in the host server. You can download the installation file from win-acme installation download section
- Configured at least one
- Properly configured DNS records for the hostname you are trying to obtain the certificate for (for HTTP validation, the machine that
win-acmeis running on must have the correct common name configured in DNS)
- If you intend to use automated detection of certificate common name, the IIS server needs to have at least configured hostname for one binding (port 80 for instance)
- Access to HTTP or DNS resources on your
IISWeb server, that will be used to validate ACME challenges
- ACME protocol enabled according to the Enable ACME
For this guide, we will use
http-01 challenge validation, but the
dns-01 can be also configured and the process is similar.
win-acme client is designed to be primary used as ACMEv2 client for Let's Encrypt Certification Authority and other ACME compliant servers. Before the first use we need to configure
win-amce client to connect to CZERTAINLY platform instead of Let's Encrypt CA that is the default server. To achieve this, we need to set up correct endpoints in
win-acme configuration file
settings.json. Edit the
settings.json file located in the root of
win-acme directory with your preferred text editor and change the following lines:
With these parameters, we are directly connecting to the already configured
RA Profile with name
czertainly that has ACME enabled.
For more information follow win-acme settings.
win-acme Plugin support
IIS and self-hosted HTTP challenge
Once each pre-requisite and configuration are set up, you can run
win-acme executable file
wascs.exe with administrator privileges (to enable automatic detection of
IIS services) and follow these steps:
- Please choose from the menu:
N(Create certificate, default settings)
- Depending on your setup, we can either input the hostname of the certificate manually or detect it from the
IISbindings are configured correctly, you will be asked to point
win-acmeto the site you want to issue certificate for
- In case your
IISbindings are not configured you will have to follow up with Full Options from the menu:
- When finalizing the selection of the certificate name
win-acmewill automatically use
http-01challenge. In this step
win-acmewill try to bind port 80 of the server and publish the challenge received from the ACME server; this challenge will be posted on the port 80 of your server
- Upon successfully challenge validation,
win-acmewill create the HTTPS bindings in the
Make sure that the web server is reachable on the specified port number with the domain name you selected for the certificate from CZERTAINLY platform to validate the challenge. If the server is not accessible for the CZERTAINLY, it will not be able to validate the challenge and the process will fail.
The following represents a sample process of issuing certificate for self-hosted
IIS with binding to the host
--source iis `
--host www.example.com `
win-acme command line arguments, refer to win-acme documentation.
Automation of certificate renewal
win-acme can automatically renew any certificate that it obtained from ACME server using Windows Scheduler task. To configure automated renewal, follow these steps:
wascs.exewith administrator privileges
- Please choose from the menu:
- Please choose from the menu>
T((Re)Create Scheduled Task)
- Please specify the user you want the task to be run under (user with administrator privileges is recommended to allow automatic binding configuration on the
- The scheduled task for automatic renewal of all certificates managed by
win-acmeis now created
Compatibility issues in older versions of Windows server
win-acme might have issues running properly on older versions of Windows Server (2012 and older) due to compatibility with TLS 1.2 cipher suite. If you are struggling to establish the connection with the ACME server, try to consult your SSL and TLS settings with administrators of your system.