How-To: Request EZCA Certificates with win-acme

Learn how to use win-acme, a popular ACME client for Windows, to request and manage SSL certificates from your EZCA ACME Agent for your internal applications hosted on IIS.

What is win-acme and What Does it Do?

win-acme is a great tool for automatically managing SSL Certificates for Windows IIS. It is a simple ACME client that can be configured to work with the EZCA ACME Agent, allowing you to automate the issuance and renewal of SSL certificates for your internal applications hosted on IIS.

win-acme command line interface banner showing version and options

This guide will walk you through the process of setting up win-acme to request certificates from your EZCA ACME Agent, ensuring that your IIS-hosted applications always have valid SSL certificates without manual intervention.

Prerequisites for Using win-acme with EZCA

Before you can use win-acme to request certificates from your EZCA ACME Agent, make sure you have the following prerequisites in place:

  1. You have an active EZCA subscription
  2. You have created an SSL Template Certificate Authority in EZCA (either root or subordinate)
  3. You have successfully deployed an ACME agent in EZCA.
  4. You have a Windows Server with IIS hosting your internal application that you want to secure with an SSL certificate from EZCA. (This can be a VM in Azure or on-premises)

How to Automate SSL Certificate Issuance with win-acme - Video Walkthrough

Follow along with this video walkthrough to configure win-acme and request certificates from your EZCA ACME Agent:

How to Automate SSL Certificate Issuance with win-acme - Step by Step Guide

The following steps will guide you through the process of configuring win-acme to request SSL certificates from your EZCA ACME Agent for your IIS-hosted applications:

How to Configure win-acme to Point to Your EZCA ACME Agent

  1. Download the latest version of win-acme from the win-acme website.

  2. Extract the files to your desired installation folder.

    win-acme extracted files in Windows File Explorer

  3. Open settings_default.json to update the endpoint configuration to point to your EZCA ACME Agent.

  4. In the Acme section, change the following fields to your EZCA ACME Agent information:

    • DefaultBaseUri: Set this to the URL of your EZCA ACME Agent (e.g., https://acmeagentboston).
    • DefaultBaseUriTest: Set this to the same URL as DefaultBaseUri (e.g., https://acmeagentboston).
    • DefaultBaseUriImport: Set this to the same URL as DefaultBaseUri (e.g., https://acmeagentboston).
    win-acme settings_default.json file with Acme section highlighted showing DefaultBaseUri, DefaultBaseUriTest, and DefaultBaseUriImport fields

  5. Save your changes to settings_default.json.

  6. We are now ready to use win-acme to request certificates from your EZCA ACME Agent!

How to Request Certificates with win-acme

  1. Navigate to the folder where win-acme was installed.

  2. Open the wacs.exe program.

    win-acme executable file in Windows File Explorer

  3. Enter M for manual issuance with full options.

  4. Select 1 to read the binding from IIS. This will look at your IIS site bindings and will request a certificate containing the domains in your binding.

  5. Select the website you want to create the certificate for.

    win-acme site selection screen showing list of IIS sites with their bindings

  6. Select which bindings you want to issue the certificate for.

  7. Enter a Friendly name for the certificate.

  8. Enter 2 for win-acme to serve the correct challenge on the site.

    win-acme challenge response method selection screen with option 2 for serving the challenge on the site highlighted

  9. Select the Key type you would like to use.

  10. Select where to store the certificate. (We recommend the Windows Certificate Store)

    win-acme certificate store selection screen with option for Windows Certificate Store highlighted

  11. Select Update bindings to automatically change your binding to use the new certificate when the certificate is renewed.

  12. Select the same site for installation.

  13. Enter n for Add another installation step.

    win-acme additional installation steps screen with option n for no additional steps highlighted

  14. Read the terms and conditions and accept them to continue with the certificate request.

  15. Enter the email(s) of the owners of this certificate/website.

  16. Your certificate will now be issued, and a task to automatically update your certificate will be added to Task Scheduler.

    win-acme success screen showing certificate request was successful

  17. Done! Your certificate will now be automatically renewed by win-acme before it expires, ensuring your IIS site always has a valid SSL certificate from your EZCA ACME Agent. You can manage your scheduled tasks in Task Scheduler under the win-acme folder to see when your certificates will be renewed.