In today's digital landscape, securing your web applications with SSL certificates is essential to ensure data privacy and build trust with your users. Let's Encrypt provides a free, automated, and open certificate authority, offering a streamlined solution for SSL certificate management. Win-ACME is a powerful tool that simplifies the process of generating and installing Let's Encrypt SSL certificates on IIS (Internet Information Services).
This guide will walk you through the steps required to successfully issue Let's Encrypt SSL certificates using Win-ACME in IIS, ensuring that the entire process is smooth and error-free. By following the procedures outlined in this document, you will be able to deploy secure connections for your websites with confidence, while maintaining proper configuration throughout.
How to Use Win-ACME to Generate Let's Encrypt SSL Certificates on Windows
Win-ACME is a simple, powerful ACMEv2 client that allows Windows users to generate and automatically renew Let's Encrypt SSL certificates. This guide walks you through installing and running Win-ACME successfully.
Step 1: Download and Extract Win-ACME
- Visit the official Win-ACME website: https://www.win-acme.com/.
- Download the latest standalone version (64-bit or 32-bit as per your system).
- Extract the downloaded ZIP file to a directory, such as C:\win-acme.
Step 2: Open PowerShell and Navigate to Win-ACME Directory
- Open PowerShell as Administrator.
- Change the directory to where you extracted Win-ACME:
cd C:\win-acme
Step 3: Run Win-ACME
Since PowerShell does not execute commands from the current directory by default, you need to run the executable with ./:
.\wacs.exe
If the command is not recognized, ensure you are in the correct directory and that wacs.exe exists.
Step 4: Select the Certificate Creation Mode
After running wacs.exe, you'll see a menu with options. Choose the Create certificate (full options) mode by typing:
m
Step 5: Select the Domain Source
You will now be asked how you want to determine the domain(s) for the SSL certificate:
- Option 1: Read bindings from IIS (recommended if using IIS)
- Option 2: Enter domains manually
- Option 3: Use a CSR from another program
For IIS users, type 1 and press Enter.
Step 6: Select Websites for SSL Certificate
- If you have multiple websites in IIS, you will be prompted to enter site identifiers.
- Leave the input blank to scan all websites, or specify a site identifier and press Enter.
Next Steps:
- Follow additional prompts for email registration, private key storage, and verification.
- Upon successful issuance, the certificate will be saved and can be configured for IIS or other services.
- Win-ACME can also schedule automatic renewals for your certificate.
This process ensures a secure, automated way to manage SSL certificates with Let's Encrypt on a Windows server! 🚀
Certificate Storage Options
When generating an SSL certificate, you can store it in multiple ways to make it accessible to your applications. The Windows Certificate Store is the default location for IIS unless managing a cluster.
Storage Options:
- IIS Central Certificate Store (.pfx per host)
- PEM encoded files (Apache, nginx, etc.)
- PFX archive
- Windows Certificate Store (Local Computer)
- No additional store steps
Selected Storage Method:
- Windows Certificate Store (Local Computer) - Option 4
- Dedicated store for IIS (WebHosting) - Option 1
Successful Certificate Request and Installation
Step 1: Initiating the Certificate Request
A certificate request was successfully initiated for the following domains:
This indicates that a request for an SSL/TLS certificate has been made for multiple domain names. The domains listed include both the root domain (e.g., domain.com) and its associated "www" subdomain (e.g., www.domain.com), ensuring that both versions of the domain are properly secured with an SSL certificate.
The successful initiation of this request means that t Win-ACME has begun the process of verifying the domain ownership and issuing SSL certificates. This step is crucial for enabling secure, encrypted communication between users and the websites associated with these domains. Once the certificates are issued, HTTPS (secure HTTP) will be enabled, ensuring that all data transmitted between the server and its users is encrypted and protected from interception or tampering.
Step 2: Certificate Installation in IIS
- The certificate was downloaded and stored in the selected Windows Certificate Store (WebHosting).
- It was installed and assigned to the corresponding IIS bindings.
- The following HTTPS bindings were updated:
- *:443:domain.com
- *:443:www.domain.com
- Server Name Indication (SNI) was enabled to prevent conflicts.
Step 3: Task Scheduler Automation for Renewal
A scheduled task was created to automatically renew certificates before expiration. The task settings include:
- Task Name: win-acme renew (acme-v02.api.letsencrypt.org)
- Command: wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
- Execution Time: 09:00 AM daily
- Random Delay: 4 hours
- Time Limit: 2 hours
To create this task manually, run the following PowerShell command:
$Action = New-ScheduledTaskAction -Execute "C:\win-acme\wacs.exe" -Argument "--renew --baseuri 'https://acme-v02.api.letsencrypt.org/'"
$Trigger = New-ScheduledTaskTrigger -Daily -At 9am
$Settings = New-ScheduledTaskSettingsSet -RandomDelay (New-TimeSpan -Hours 4) -ExecutionTimeLimit (New-TimeSpan -Hours 2)
Register-ScheduledTask -TaskName "win-acme renew" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM" -RunLevel Highest
Step 4: Confirming Certificate Validity
After installation, the certificates were validated by:
- Checking the IIS bindings for the correct certificate thumbprints.
- Accessing https://coryretherford.com and https://ashleyretherford.com in a browser to confirm secure HTTPS connections.
- Running the command:
certutil -store WebHosting
to verify the certificates are present in the correct store.
Step 5: Verifying Renewal Status
- The renewal date for the certificates is set for 3 months per the CAB Forum (Certificate Authority/Browser Forum) whom sets guidelines for issuing and managing SSL/TLS certificates to ensure consistency and trust. Since September 2020, they have mandated that all publicly trusted certificates, including those from Let's Encrypt, must have a 90-day validity period. This shorter duration promotes automation of certificate renewal, reducing the risk of vulnerabilities from expired certificates and enhancing security. Tools like Win-ACME and Certbot help organizations automate the process, ensuring regular updates and improved cryptographic standards. This approach ensures better security and reduces administrative overhead.
- The renewal process will run automatically via the Task Scheduler.
- Manual renewal can be triggered using:
.\wacs.exe --renew --force
Conclusion
This process will successfully issue and install the SSL certificates for the required domains. In this example IIS was updated accordingly, and an automated renewal process was scheduled to ensure continued HTTPS availability. If any changes to DNS or server configurations are made, ensure that the validation process remains functional for future renewals.
To manually verify and test the scheduled renewal process, you can run:
Start-ScheduledTask -TaskName "win-acme renew"
This will trigger the renewal task immediately and log any issues that may arise.
