starred/win-acme-win-acme
1
0
Fork 0
mirror of https://github.com/win-acme/win-acme.git synced 2026-04-27 03:55:56 +03:00
Code Issues Projects Packages Wiki Activity
Page: Basic usage
Pages
A specified logon session does not exist Advanced logging Advanced usage Apache 2.4 basic usage Application Logging Application Settings Azure DNS validation Basic usage CSR Plugins Command Line Arguments Command line Create a SAN certificate Custom plugins DNS validation plugins Development Enhancement voting Example Scripts HTTP Validation Plugins HTTPS Binding With Specific IP Home How To Run How to Compile From Source Code IIS 7.5 and Lower Install script Installation plugins Issues and workarounds Load balancing Microsoft Exchange Microsoft Remote Desktop Server Migration to v1.9.5 Migration to v1.9.9 Migration to v2.0.0 Missing Certificate Chain Plugins Renewal Management Store plugins Target plugins Task Scheduler Uninstall instructions Upgrades Validation issues Validation plugins web_config.xml
20 Basic usage
Wouter Tinus edited this page 2019-03-18 12:28:41 +01:00
Table of Contents

Support

  • Windows 2008 R2 or higher (though Windows 2008 has been reported to work)
  • .NET Framework 4.7.2 or higher (note for Exchange admins)
  • IIS is not required, but if you do use IIS, it's best with version 8.0+. See IIS 7.5 and lower for more details.

Installation

  1. Download the latest version of win-acme-v2.x.x.x.zip from https://github.com/PKISharp/win-acme/releases
  2. Unzip files to a permanent location (so that it can run for renewals)
  3. Run wacs.exe (requires administrator privileges).
  4. Follow the instructions on the screen to configure your first renewal.

How it works

Note: basic/simple mode is for IIS users only. For other web servers and applications skip straight to Advanced use.

  1. Choose N in the main menu to create a new certificate.
  2. Choose how you want to determine the domain name(s) for which the certificate should be issued. This can for example be based on the bindings of an IIS site, or manual input.
  3. A registration with the ACME server is created, if it doesn't already exist. You will be asked to agree to the terms of service and to provide an email address that the server administrators can use to contact you.
  4. The program talks the ACME server to validate your ownership of the domain(s) that you which to create a certificate for. By default that the ACME server does that by sending a couple of requests like http://www.example.com/.well-known/acme-challenge/[random] and we will be expected to respond with another random string. We run our own listener on port 80 - side by side with IIS - to answer those challenges. Getting validation right is often the most tricky part of getting an ACME certificate. If there are problems please check out some common issues.
  5. After the proof has been provided, the program gets the new certificate and updates or creates binding in IIS as required.
  6. The program will ask you if you want to renew automatically. When you answer yes the program adds a task to the Task Scheduler to run itself daily. It will remember all the choices that you made and apply them during the each subsequent renewal job. You can also set this up at a later time.

Renewal

A single scheduled task is responsible for renewing all certificates created by the program. The task is created by the program itself after successfully issuing the first certificate. The task runs every day, but individual renewals are executed only every 55 days (based on the date of their last successful run) or when the program detects a change in the target (e.g. a new binding added to an IIS site). The process can be monitored from the Windows Event Viewer and you can set up email notifications.

Please refer to https://pkisharp.github.io/win-acme/ for up-to-date documentation.