How to install Let’s Encrypt in IIS using win-acme

This guide covers the installation and management of Let’s Encrypt SSL/TLS certificates on an IIS server using the win‑acme tool. The tool is an officially recognized ACME client for Windows that communicates with the Let’s Encrypt platform to:

• Issue new certificates,
• Validate domains (HTTP-01 or DNS-01 challenge),
• Install them on IIS,
• Automatically renew them.

This guide walks you step-by-step through downloading, installing, and using win‑acme to issue and automatically renew Let’s Encrypt SSL/TLS certificates for your IIS server — without using a control panel.

---

Prerequisites

• Your server runs Windows Server with IIS installed.
• You have Administrator rights on the system.
• Your domain(s) point to the server’s IP address.
• You have at least one HTTP (port 80) binding in IIS for the hostname you want to secure.
• You have access to download win‑acme from the official site.

Step 1: Download and extract win‑acme

Visit https://www.win‑acme.com/ and download the latest version of the tool. Extract the ZIP file into a suitable folder, e.g. C:\Program Files\win‑acme.

---

Step 2: Launch the tool

Run it as Administrator. In the command-line interface, available options will appear. Press N (New certificate) to start the certificate creation process.

---

Step 3: Create the certificate

• Select the IIS site number you want to secure.
• Choose whether to secure all bindings (press Enter or A for “All bindings”).
• Accept the Terms of Service.
• The tool will perform validation (HTTP‑01 challenge) and issue the certificate.

---

Step 4: Automatic renewal

After issuance, win‑acme creates a Windows scheduled task to automatically renew the certificate before it expires (typically ~60 days before).

---

Advanced settings (optional)

You can use parameters like:

wacs.exe --source iis --host "yourdomain.com,www.yourdomain.com" --store certificatestore --installation iis --accepttos

Or for wildcard/SAN certificates using DNS‑01 validation:

wacs.exe --target manual --host "*.example.com" --validationmode dns‑01 --validation cloudflare --cloudflareapitoken YOUR_TOKEN --installation iis --accepttos

Verification and confirmation

After installation, check the following:

• In IIS Manager → Sites → Binding, ensure there’s an HTTPS binding (port 443) with the new certificate.
• In your browser, open your site via https:// and confirm it’s secure.
• In Task Scheduler, verify the win‑acme scheduled task exists.

Tips & best practices

• Ensure your DNS records are up to date before certificate issuance.
• Keep the tool in its original folder (do not move wacs.exe after installation, or renewal tasks may fail).
• In production environments, prefer DNS‑01 validation for wildcard certificates.
• Keep win‑acme updated to the latest version for improvements and security fixes.