Example: Win-ACME with IIS using HTTP-01 Domain Validation
This tutorial walks you through configuring Win-ACME on a Windows Server to request and install SSL/TLS certificates using HTTP-01 validation and your GeoCerts-provided ACME Directory URL. This is ideal for IIS-based sites or any Windows server with an HTTP listener.
Prerequisites
- Windows Server with IIS installed and a working website.
- Administrative access to the server.
- GeoCerts ACME Directory URL, EAB credentials (KID and HMAC).
- Public DNS resolution of your domain to the server’s IP address.
- Port 80 open on your firewall and reachable from the internet.
- Win-ACME v2.2.9+ (Pluggable version preferred).
Step 1: Download Win-ACME
Download the latest Pluggable release from the official Win-ACME Documentation site. Unzip it to a directory like:
C:\Tools\win-acme\
Step 2: Launch Win-ACME in Advanced Mode with GeoCerts ACME URL
Open PowerShell as Administrator and run:
.\wacs.exe --baseuri https://one.digicert.com/mpki/api/v1/acme/v2/directory
📝 Note: If you omit the
--baseuriparameter, Win-ACME will default to Let’s Encrypt. Always specify your GeoCerts ACME Directory URL to ensure the request goes to the correct certificate authority.
You’ll see the interactive menu. Choose:
M: Create certificate (full options)
The --baseuri setting will be saved in Win-ACME’s configuration and used automatically for renewals and reissues, so you only need to enter it once per certificate lifecycle.
Step 3: Choose Domain Source
Select how you want to determine the domains:
1: Read bindings from IIS
This option lets Win-ACME scan your IIS configuration and automatically detect hostnames already bound to existing sites. For most environments, you’ll see the Default Web Site, and Win-ACME will list the binding(s) it finds, such as:
Found binding: shop.example.com
You can select from these detected hostnames to include in your certificate request. Ensure the chosen domain is publicly resolvable and points to this server.
After selecting your bindings, Win-ACME will prompt:
Would you like to split this source into multiple certificates?
1: Separate certificate for each domain (e.g. *.example.com)
2: Separate certificate for each host (e.g. sub.example.com)
3: Separate certificate for each IIS site
4: Single certificate
C: Abort
We recommend choosing option 4: Single certificate for most environments. This simplifies management and is sufficient unless you have very specific reasons to split your certificate. Ensure the chosen domain is publicly resolvable and points to this server.
Step 4: Validation Method
Choose:
2: [http] Serve verification files from memory
Ensure that the website resolves externally and is accessible on port 80. Win-ACME will temporarily serve the required .well-known/acme-challenge file from memory.
Step 5: Choose Key Type
After domain ownership has been validated, Win-ACME will ask which type of key to use when generating the Certificate Signing Request (CSR):
After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.
1: Elliptic Curve key
2: RSA key
C: Abort
We recommend choosing option 2: RSA key unless you have a specific need for Elliptic Curve keys. RSA is widely compatible and is the default choice for most environments.
Step 6: Choose Certificate Store Location
Once the certificate is ready, you’ll be asked where to store it:
When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps
We recommend choosing option 4: Windows Certificate Store (Local Computer) for IIS environments unless you have specific needs for exporting files or managing across multiple servers.
Immediately afterward, Win-ACME will prompt you to choose the specific certificate store:
1: [WebHosting] - Dedicated store for IIS
2: [My] - General computer store (for Exchange/RDS)
3: [Default] - Use global default, currently WebHosting
Choose store to use, or type the name of another unlisted store:
Select:
3: [Default] - Use global default, currently WebHosting
Would you like to store it in another way too?
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps
Select:
5: No (additional) store steps
Step 7: Installation
Select:
1: Create or update IIS bindings
This will automatically bind the issued certificate to your IIS site.
Step 8: ACME Account and EAB Credentials
When prompted to create an ACME account, enter:
You’ll be prompted for:
- External Account Binding Key ID
- External Account Binding HMAC Key
These credentials are required to authenticate your ACME client with DigiCert. You received them when you created your ACME Directory URL in the GeoCerts CertCommand portal. If you did not copy and save the EAB Key ID and HMAC Key at that time, they cannot be retrieved again. For security reasons, GeoCerts cannot provide you with the original keys. You will need to create a new ACME Directory URL in CertCommand to generate a fresh set of EAB credentials.
Step 9: Complete the Order
Once you complete the prompts, Win-ACME will:
- Create your ACME account (if not already created)
- Validate your domain via HTTP-01
- Request the certificate
- Install it to the Windows Certificate Store
- Bind it to your IIS site
You’ll see output similar to this when the process completes successfully:
[INFO] Authorizing identifier shop.example.com using http-01
[INFO] Answer should now be browsable at http://shop.example.com/.well-known/acme-challenge/xyz...
[INFO] Authorization result: valid
[INFO] Requesting certificate shop.example.com
[INFO] Store with CertificateStore
[INFO] Installing with IIS
[INFO] Adding new https binding shop.example.com:443
[INFO] Installation step complete
[INFO] Adding renewal for shop.example.com
[INFO] Renewal added
Authorization result: valid
Order status: valid
Certificate installed successfully
Step 11: Test It
Browse to https://yourdomain.com and confirm:
- HTTPS loads with no errors
- The certificate issuer is DigiCert or GeoTrust
You can also run the GeoCerts SSL Checker to confirm.
Step 12: Automatic Renewals
Win-ACME automatically adds a scheduled task to renew certificates.
To check it:
schtasks /Query /TN "win-acme renewals"
To run manually:
.\wacs.exe --renew --baseuri https://one.digicert.com/mpki/api/v1/acme/v2/directory
Troubleshooting
Common issues and solutions:
- If validation fails, check that port 80 is accessible
- Ensure your domain DNS is properly configured
- Verify IIS has proper permissions to write to the website directory