How to Install ACME SSL Certificates on Windows IIS using Win-ACME?

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...
ACME SSL Installation on Windows IIS

In the past, configuring HTTPS on a Windows IIS server required long certificate requests, manual validation, and frequent renewals.

With the arrival of the ACME protocol and integration of tools like Win-ACME (WACS), the process of obtaining an SSL certificate and management capabilities, such as renewals, has been automated. This includes compatibility with commercial ACME-compliant Certificate Authorities such as Sectigo (CAs) that support External Account Binding (EAB).

In this tutorial, you will learn what steps to take to install an ACME SSL certificate on Windows IIS, automatically bind the SSL certificate, and set up certificate renewals. This works with standard single-domain certificates, multi-domain (SAN) certificates, and enterprise environments.

Prerequisites

Access Level

You must have Administrator access to the server before starting the installation procedure. This means that the server must be accessed by you, either locally or by Remote Desktop Protocol (RDP).

In order to install any tools, configure IIS, and make changes at the system level during the ACME validation and SSL certificate installation process, Administrator-level privileges will be required. Without this access level, the automatic SSL Certificate issuance workflow will not be able to complete successfully.

Your IIS Website is Accessible Over HTTP

Your IIS website needs to be publicly accessible over HTTP (Port 80) because ACME’s HTTP-01 validation is based on it. The Certificate Authority will attempt to retrieve a specific validation file at: http://yourdomain.com/.well-known/acme-challenge/

This can verify that you have control of the domain. You can verify that you are controlling the domain by ensuring that the DNS records for the domain point to your server, and that your firewall or hosting platform is configured to allow inbound traffic on port 80.  

Also Read: What is Port 8080? Port 80 vs 8080 vs 443 Difference

ACME Credentials Given to You by Your CA

If you are using a commercial Certificate Authority, you will need to get the ACME credentials they give you. This typically includes the ACME Directory URL, an External Account Binding Key Identifier (EAB), and the EAB HMAC Key.

These credentials are what connect your server to your CA account and permit automated orders for certificates. Be sure to copy the values accurately and store them in a secure way for reference during the ACME client configuration.

Steps to Install an ACME SSL Certificate on Windows IIS

Step 1: Download and Set Up Win-ACME (WACS)

Win-ACME is a lightweight, Windows-native ACME client designed specifically for IIS.

Steps:

  • Visit the official Win-ACME site: https://www.win-acme.com/
  • Download the latest stable ZIP release.
  • Extract it to a permanent location, for example:
C:\Program Files\Win-ACME\

Test the installation by running:

C:\Program Files\Win-ACME\wacs.exe

If the command-line interface launches, you’re ready to proceed.

Step 2: Issue and Install the ACME SSL Certificate on IIS

You will now request, generate, and install an SSL certificate using Win-ACME’s command-line interface.

Below is the ideal command template:

& "C:\Program Files\Win-ACME\wacs.exe" `

--source iis `

--host "yourdomain.com,www.yourdomain.com" `

--store certificatestore `

--installation iis `

--baseuri "https://your.acme-server.com/v2/DV" `

--eab-key-identifier "YOUR_EAB_KID" `

--eab-key "YOUR_EAB_HMAC_KEY" `

--accepttos
FlagPurpose
–source iisScans IIS to automate HTTP validation.
–hostOne or multiple comma-separated domains/SANs.
–store certificatestoreSaves certificate into Windows Certificate Store.
–installation iisAutomatically binds SSL certificate to IIS.
–baseuriACME directory URL from your CA.
–eab-key-identifierEAB KID for CA authentication.
–eab-keyEAB secret HMAC key.
–accepttosAccepts CA terms of service automatically.

Step 3: Confirm HTTPS Installation in IIS

Once Win-ACME completes the process, the certificate should:

  • Be stored in the Windows Certificate Store
  • Be bound automatically to the correct IIS site on port 443

To Verify:

  • Open Server Manager
  • Go to Tools → IIS Manager
  • Navigate to your website: Sites → {Your Website} → Bindings
  • Look for the HTTPS (443) binding
  • Confirm that the newly installed certificate is applied

Once confirmed, visit your site in the browser: https://yourdomain.com

You should now see a valid, trusted SSL certificate.

Step 4: Verify Automatic Renewal

Win-ACME automatically creates a scheduled renewal task in Windows Task Scheduler.

To list all configured ACME renewals, run:

& "C:\Program Files\Win-ACME\wacs.exe" --list --baseuri "https://your.acme-server.com/v2/DV"

Conclusion

If you’re ready to secure your IIS server with a trusted, budget-friendly SSL certificate, CheapSSLWEB is the smartest place to start. With industry-leading pricing, lightning-fast issuance, and full support for ACME, EAB, and enterprise validation, we make it easy to protect your website without overspending.

Get your ACME-enabled SSL certificate today at CheapSSLWEB and secure your server with confidence.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.