USD 
GBP 
CAD 
INR 
AUD 
SGD 
Win-ACME is one of the easiest ways to automate SSL certificate issuance and renewal on Windows servers. When used with EAB (External Account Binding) credentials, it enables secure authentication with your CA’s private ACME endpoint such as Sectigo’s ACME for DV or OV certificates.
This step-by-step guide walks you through the entire process – from installation to automation using Win-ACME (wacs.exe) on IIS.
Prerequisites
Before starting, ensure you have:
- Windows Server with IIS installed.
- Administrator access to the server.
- Latest Win-ACME client (download from https://www.win-acme.com/)
- EAB credentials
- EAB Key Identifier (ID)
- EAB HMAC Key
- Custom ACME Server URL (provided by us)
Tip: Always download the default pluggable version of Win-ACME – not the trimmed version. The trimmed version lacks DNS plugins and limits advanced installation options that you may need later.
Installation
- Extract the Win-ACME ZIP file to a directory, for example – C:\win-acme
- Open Command Prompt as Administrator.
- Navigate to the extracted folder:
cd C:\win-acme
You are now ready to run Win-ACME commands directly from this directory.
Running Win-ACME with EAB Credentials
Unlike older releases, Win-ACME no longer supports launching an “advanced” mode for EAB configuration. All parameters must now be entered inline in a single command.
Below is a breakdown of useful arguments and what each does.
| Argument / Identifier | Description |
|---|---|
| wacs.exe | Runs the Win-ACME application. |
| –target manual | Allows you to use Win-ACME manually with EAB credentials. |
| –host | Defines the domain names you want to include in the certificate. You can add multiple domains by separating them with commas. All domains must be secured under the same EAB account. |
| –eab-key-identifier | Your EAB ID. |
| –eab-key | Your HMAC key. |
| –baseuri | Your ACME server directory URL. |
| –installation iis | Indicates that the installation method is IIS. |
| –installationsiteid | Defines the IIS Site ID. Works only when –installation iis is used. This argument does not accept multiple values. |
| –sslport | Optional. Used when you want to install the certificate on a custom port. If skipped, IIS automatically creates or updates the binding for port 443. |
| –validationmode | Allows you to specify the validation method – either dns-01 or http-01. If this is not included, Win-ACME defaults to file (HTTP) validation. Wildcard certificates require dns-01. |
| –validation | Defines the DNS provider if you are using the DNS-01 method (e.g., –validation cloudflare). |
| –cloudflareapitoken | Defines the API token for your DNS provider. You can find supported DNS managers and arguments here: https://www.win-acme.com/reference/plugins/validation/dns/ |
| DNS Plugin Link | To download DNS plugins, visit: https://github.com/simple-acme/simple-acme/releases/. Extract the folder in C:\win-acme to enable DNS validation. |
Certificate Types
Depending on whether you’re issuing a single/multi-domain certificate or a wildcard, your command will differ slightly.
-
Single or Multi-Domain Certificate (Non-Wildcard)
Use HTTP validation (file-based) if your domains are public and accessible via port 80.
wacs.exe --target manual --host example.com,www.example.com --eab-key-identifier *EAB ID* --eab-key *HMAC Key* --baseuri https://acme.sectigo.com/v2/DV --installation iis --installationsiteid *site id*
This command:
- Authenticates your EAB credentials.
- Issues a certificate for both example.com and www.example.com
- Automatically installs it in IIS.
- Creates or updates port 443 bindings automatically.
-
Wildcard Certificate
The recommended approach is to automate this process using DNS plugins, which let Win-ACME create and remove TXT records automatically during certificate issuance and renewal.
To use this method, download the plugin for your DNS provider from the official Win-ACME or Simple-ACME repositories, extract it into your C:\win-acme folder, and then run the following command:
wacs.exe --target manual --host example.com,www.example.com --eab-key-identifier *EAB ID* --eab-key *HMAC Key* --baseuri https://acme.sectigo.com/v2/DV --installation iis --installationsiteid *site id* --validationmode dns-01 --validation cloudflare --cloudflareapitoken **token**
This command:
- Uses DNS validation via Cloudflare’s API.
- Automates TXT record creation for ACME challenges.
- Installs the issued certificate directly in IIS.
Automation
After a certificate is issued, Win-ACME quietly takes over the renewals.
You don’t have to log back in or rerun the command every few months; it schedules that for you.
- Automatic renewals: By default, Win-ACME sets a renewal job that runs 55 days before the certificate expires.
- Where it’s set: You’ll find the settings in C:\win-acme\settings.json if you ever need to change how often it checks.
- For DNS users: When you use DNS-01 validation with a plugin, the tool adds and removes TXT records on its own during every renewal.
- Result: Once this is in place, everything runs on its own — renewals, bindings, and DNS updates happen without you touching the server again.
Troubleshooting
If something doesn’t look right maybe the certificate didn’t install, renew, or show up in IIS. It’s usually one of a few simple things.
- Site ID mismatch: Double-check the number you used in –installationsiteid. It must match the one in IIS Manager.
- Domains under the same EAB: All domains listed with –host need to belong to the same EAB account. Mixed ones will fail validation.
- Force a fresh run: Add –nocache if Win-ACME keeps pulling an old certificate or cached order. That flag forces a new request.
- Command formatting: The command must be typed on a single line with one space between each argument. Don’t press Enter midway – anything after the break won’t run.
- Scheduler missing: If you don’t see a renewal task in Windows Task Scheduler, just run the same command again as Administrator. That usually registers it properly.
Conclusion
SSL management on IIS used to mean manual CSRs, imports, and reminders for renewals. With Win-ACME and EAB, you can now achieve a level of automation that rivals Linux-based setups. Whether you are issuing a simple single-domain certificate or managing wildcard SSLs across multiple subdomains, Win-ACME ensures your certificates stay up to date. IIS also remains configured, and downtime from expired certs becomes a thing of the past. The best part is that once you’ve set it up, there’s very little maintenance required. You won’t need to log in every 90 days to fix TXT records or swap certificates – it just works in the background. For teams that already juggle a long list of IT responsibilities, that’s a real time-saver.
Related Articles:
