(1 votes, average: 5.00 out of 5)
Loading...How to Install an ACME SSL Certificate on Windows IIS? (using Win-acme)
(1 votes, average: 5.00 out of 5)Loading...
An ACME SSL certificate is a TLS certificate issued automatically through the ACME protocol, a standard used by free, publicly trusted certificate authorities to handle certificates at scale. “ACME” stands for Automated Certificate Management Environment. It handles the full certificate lifecycle: issuance, validation, installation, and renewal without human intervention.
For Windows IIS (Internet Information Services), this matters because IIS does not have a built-in ACME client. Other web servers on Linux have native ACME integrations. IIS has nothing out of the box.
Without a dedicated ACME client like Win-ACME, every certificate renewal is a manual process, a process that every sysadmin eventually forgets until the site goes down.
Win-ACME is the most widely adopted ACME client for Windows IIS. It integrates directly with the IIS API, reads your site bindings, and installs certificates with zero manual copying or binding configuration.
What Do You Need Before Installing Win-ACME?
You need four things before starting. Missing any one of them causes the installation to fail.
Windows Server with IIS installed:
Win-ACME supports Windows Server 2012 R2, 2016, 2019, and 2022. IIS must already be installed and running with at least one active site. The IIS Management Console (inetmgr) must be accessible.
A Domain Name with DNS pointed to your Server:
The ACME protocol validates domain ownership by sending an HTTP challenge to your domain. Your domain’s A record must point to your server’s public IP address before you run Win-ACME. Without this, the challenge fails, and no certificate is issued.
Port 80 is Open on your Firewall:
The HTTP-01 challenge hits port 80. If your Windows Firewall or external firewall blocks inbound port 80, validation fails. This is the single most common cause of Win-ACME failures on corporate networks.
Administrator access on the Server:
Win-ACME writes to the Windows Certificate Store and modifies IIS bindings. It requires local Administrator or SYSTEM-level privileges to run. Always run it from an elevated command prompt.
How Do You Download and Install Win-ACME on Windows Server?
It only takes a couple of minutes to download Win-ACME. It’s just a simple folder to be unzipped and installed.
Step 1: Extract the Archive
Download Win-ACME from the official GitHub repository. Download the file Win-ACME from the official GitHub repository.
Go to https://github.com/win-acme/win-acme/releases. Install the most recent stable version. The current stable version is in the naming convention win-acme.v2.2.x.x.x64.pluggable.zip.
Please make sure that you download the pluggable version so that you are able to use it in conjunction with DNS challenges, if you need to use wildcard certificates in the future.
Please refrain from downloading from third-party mirrors. Do not use any other websites but the official Win-ACME GitHub page or https://www.win-acme.com.
Step 2: Extract the Archive
Unzip to a permanent folder. A well-documented path is:
C:\tools\win-acme\Please do not save it in a temp folder or in your Downloads folder.
Win-ACME keeps its configuration files, account keys, and task info on renewing accounts in a subfolder of the folder where it is executed. It will interrupt scheduled renewals should it be moved later.
Step 3: Check the Contents
Once removed, your folder should include:
- wacs.exe the main executable
- The file settings.json is the settings file.
- Several .dll plugin files.
If the archive is corrupted, or if wacs.exe is not found. Re-download it.
How Do You Run Win-ACME and Issue Your First Certificate?
Win-ACME offers two modes: Simple Interactive Mode and Unattended Mode. Start with Simple Interactive Mode for your first certificate.
Step 1: Open an elevated Command Prompt
Press Win + X, select “Windows PowerShell (Admin)” or “Command Prompt (Admin).” Navigate to your Win-ACME directory:
cd C:\tools\win-acmeStep 2: Launch wacs.exe
wacs.exeThe Win-ACME menu appears. You see options labelled N, M, R, A, O, L, and Q.
Step 3: Select “N” Create certificate (simple for IIS)
Press N and hit Enter. Win-ACME reads your IIS configuration and lists all active sites.
Step 4: Select your IIS Site
Win-ACME displays a numbered list of all IIS sites it detects. Select the number corresponding to the site you want to secure.
Example Output:
- Default Web Site (example.com, www.example.com)
- MyApp (myapp.example.com)
Enter 1 to select the Default Web Site.
Step 5: Confirm the Bindings
Win-ACME shows the hostnames it detected. Confirm the list is correct. If you have both example.com and www.example.com as bindings, Win-ACME issues a SAN certificate covering both automatically.
Step 6: Choose the Validation Method
- For most IIS setups, select [http-01].
- Save verification files on (network) path.
- Win-ACME creates a temporary .well-known/acme-challenge/ folder in your IIS site root, the certificate authority validates it, and Win-ACME removes the folder after validation is complete.
If your site is behind a reverse proxy or CDN, you need DNS-01 validation instead. Select the DNS plugin matching your DNS provider.
Step 7: Accept the Terms of Service and Enter your Email
The ACME certificate authority requires acceptance of its Terms of Service the first time you register. Enter your email address. The authority uses it to notify you of certificate expiry if automated renewal fails.
Step 8: Certificate Issuance and IIS Binding Update
Win-ACME contacts the ACME API, completes the challenge, downloads the certificate, imports it into the Windows Certificate Store (LocalMachine\WebHosting store), and updates your IIS HTTPS binding all automatically.
A successful run ends with: Certificate installed and scheduled for automatic renewal.
How Does Win-ACME Handle Automatic Renewal?
Win-ACME will generate a Windows Scheduled Task called win-acme renew that will be executed on a random time daily (usually between 9:00 AM and 11:00 AM), which will be set automatically by Win-ACME.
ACME certificates generated using this protocol expire after 90 days. They are renewed every 60 days and 30 days before their expiration date by Win-ACME. This 30-day buffer provides you with some time to take corrective action if you don’t get it renewed in time, before it expires.
To check if the scheduled task is present:
- Start Task Scheduler (taskschd.msc).
- Navigate to Task Scheduler Library
- Look for the task named win-acme renew
If the task is not found, execute:
- wacs.exe –setuptaskscheduler
- This re-registers the renewal task but does not re-issue the certificate.
Conclusion
You now have a Windows IIS server that automatically gets and renews ACME SSL certificates using Win-ACME.
This setup does a thing for you:
- It gives you SSL certificates that people can trust. These certificates work with Google Chrome, Microsoft Edge and Mozilla Firefox.
- Your Windows IIS server will automatically renew these certificates using the Windows Task Scheduler.
- It also works well with Microsoft IIS. It will update your HTTPS settings for you.
- You can even get SSL certificates if you use DNS validation plugins.
Before you start using this, you should check a few things:
- Make sure the HTTPS setting in IIS Manager is using the ACME SSL certificate.
- Check the Windows Task Scheduler to make sure the task that renews your Win-ACME certificates is turned on.
- Test your website using the SSL Test to make sure it gets a rating.
If all of these things are okay, then your Windows IIS server is ready to use.
Do you need help getting or setting up SSL certificates for your Windows IIS server? You can contact us to buy trusted SSL certificates from companies like DigiCert and Sectigo. We can also help you set them up.