Menu Close

How to create digital certificates using Win-Acme

Digital Certificates are the key to providing SSL on your website. However, digital certificates can be reasonably expensive. Installing on Windows Internet Information Server can be even more challenging. Especially given the type of certificate is particularly expensive. This article describes how to create a fully trusted tier 1 certificate for free.

1) Install Win-Acme

You can download the latest version of win-acme from https://win-acme.com

Once downloaded, extract the zip file to C:\Program Files\win-acme

 

2) Launch Win-Acme

Open C:\Program Files\win-acme\wacs.exe

This will open the Win-Acme command line application window.

3) Create A Digital Certificate

The following steps will create a digital server certificate for use on either a single domain, multiple domains or a wildcard certificate for sub-domains.

Launching Win-Acme, and select each of the following values:

Create certificate with full options
Choose option:
M, Create certificate (full options)

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manager renewals (2 total)
O: More options...
Q: Quit

Please choose from the menu: M

Create certificate manually
Choose option
2: Manual input

Running in mode: Interactive, Advanced
Target plugin IIS not available: Run as administrator to allow access to IIS.

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: Read site bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: 2

Enter the domain names you want to secure
example 1. single domain name

Enter comma-separated list of host names, starting with the common name: mydomain.com

example 2. multiple domain names

Enter comma-separated list of host names, starting with the common name: mydomain.com, anotherdomain.com

example 3. wildcard certificate

Enter comma-separated list of host names, starting with the common name: mydomain.com, *.mydomain.com

The response will be:

Target generated using plugin Manual: mydomain.com
Suggested friendly name '[Manual] mydomain.com', press <ENTER> to accept or type an alternative:

Enter name for your digital certificate:
e.g. adding the expiry date can be helpful
Enter ‘*.my-cert-name’
Note, the certificate name MUST start with *.

Suggested friendly name '[Manual] mydomain.com', press <ENTER> to accept or type an alternative: *.my-cert-name

Prove ownership of your domain(s) manually:
Choose option 6: [dns-01] Create verification records manually (auto-renew not possible)

Validation plugin SelfHosting not available: Run as administrator to allow use of the built-in web listener.

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/win-acme/win-acme/.

1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records manually (auto-renew not possible)
7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns-01] Create verification records with your own script
9: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: 6

Choose the kind of private key
Choose option 2: RSA key

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

1: Elliptic Curve key
2: RSA key
C: Abort

What kind of private key should be used for the certificate?: 2

Choose how you want to store the certificate
Choose option 3: PFX archive

Store plugin CertificateStore not available: Run as administrator to allow certificate store access.

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps

How would you like to store the certificate?: 3

Set path where you want to save the certificate
Enter [drive:folder] e.g C:\tempssl

Path to folder to store the .pfx file: c:\tempssl

Set the password for the .pfx files

Password to use for the .pfx files or <ENTER> for none: **********

Ignore the option to store the file in an alternative way
Choose 5: No (additional) store steps

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps

Would you like to store it in another way too?: 5

Ignore the option to run any additional installation steps
Choose 4: No (additonal) installation steps

Installation plugin IIS not available: Run as administrator to allow access to IIS.

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Which installation step should run first?: 4

5) Complete the authorization process

Login into your hosting account and create a TXT file in your DNS settings for each domain you need to authorize.

  • Each TXT file should named: _acme-challenge.mydomain.com
  • The value should be entered without quotes.
  • The TTL (time to live) value should be set to as low as possible. Ideally 1 second.
  • Once you have created a TXT file, then click enter in the win-acme window.
  • Wait for the authorization to complete.
  • You will then be requested to delete the TXT file you have just created.
  • Delete the _acme-challenge TXT file, wait a moment, and then click enter in the win-acme window.
  • Repeat these steps for each domain you set your certificate to authorize.
Authorize identifier mydomain.com
Authorizing mydomain.com using dns-01 validation (Manual)
Detected that _acme-challenge.mydomain.com is a CNAME that leads to mydomain.com.letsencrypt.vdeck.eigdyn.com

Domain: mydomain.com
Record: mydomain.com.letsencrypt.vdeck.eigdyn.com
Type: TXT
Content: "IkpKH3PgwEZiJZnv7o9FPmvwbRrCRkzkaDFZ4NEK7PY"
Note: Some DNS managers add quotes automatically. A single set
is needed.

Please press <Enter> after you've created and verified the record

Update the dns server records by adding the _acme-challenge.mydomain.com TXT record.

Authorize identifier mydomain.com
Authorizing mydomain.com using dns-01 validation (Manual)
Domain:              mydomain.com
Record:              _acme-challenge.mydomain.com
Type:                TXT
Content:             "_-at6ym-z0vWMANBxzZuHRJdycOaLJVy_M34xhW90HU"
Note:                Some DNS managers add quotes automatically. A single set is needed.
Please press <Enter> after you've created and verified the record

Update the dns server records by deleting the _acme-challenge.mydomain.com TXT record.

Preliminary validation succeeded
Answer should now be available at _acme-challenge.mydomain.com
Preliminary validation succeeded
Authorization result: valid
Domain:              mydomain.com
Record:              _acme-challenge.mydomain.com
Type:                TXT
Content:             "_-at6ym-z0vWMANBxzZuHRJdycOaLJVy_M34xhW90HU"
Please press <Enter> after you've deleted the record

After completing the verification process on each domain, the the following message will be displayed:

Requesting certificate *.certificate-name-31DEC2021
Store with PfxFile...
Copying certificate to the pfx folder
Installing with None...
Adding Task Scheduler entry with the following settings
- Name win-acme renew (acme-v02.api.letsencrypt.org)
- Path D:\Program Files\win-acme\win-acme.v2.1.8.838.x64.pluggable
- Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
- Start at 09:00:00
- Time limit 02:00:00

Finish the request when asked.
Enter n (no) when asked if you want to create another certificate.

Do you want to specify the user the task will run as? (y/n*) n
Adding renewal for *.my-certificate-name-31DEC2021
Next renewal scheduled at 2022/3/31 18:18:21
Certificate *.my-certificate-name-31DEC2021 created

 

6) Install the Digital Certificate

Install the digital certificate .pfx file into your Windows Internet Information Server.

1) Copy your certificate.pfx file to the server.
Ideally, copy to c:\tempssl folder for continuity.

2) Launch the IIS Manager and open the Server Certificates snap in.

3) From the IIS Manager, Server Certificates page, click the Import button.

4) Select the digital certificate .pfx file.
This action will launch the Import Certificate dialog box.
Enter the password you used earlier to create the certificate, and
Select the ‘Web Hosting’ Certificate Store.
Check the ‘Allow this certificate to be exported’ checkbox.
Click the OK button to continue.
This action will import the digital certificate.

7) Bind Digital Certificate

The final step is to bind your digital certificate to the domain where you want to enable SSL.

‘Edit the bindings’ of the domain where you want to enable SSL.
This will reveal an option to select ‘Edit  Site Binding’ dialog box.

Set the type to https.
The IP address should be left ‘All Unassigned’
The Port should be 443
The Host name should match one of the domains in your digital certificate.
Enable the option to ‘Require Server Name Indication’

Finally, select the name of the SSL certificate you have just imported from the drop down list.
Click the OK button to complete.

This completes the task of creating a digital certificate using win-acme and installing it into your IIS Server and binding it to the website to enable SSL.