How to Setup ACME Clients for Internal PKI

Introduction - How To Automate Certificate Management with ACME for Internal PKI

ACME (Automatic Certificate Management Environment) is a communication protocol for automating certificate lifecycle between certificate authorities and servers. This automation dramatically reduces the cost of certificate lifecycle and prevents costly outages. How ACME works How ACME works

Since ACME depends on the validation of domain ownership, an agent has to be deployed in your local network. In this section we will guide you on how to point the most common ACME agents to your EZCA Agent.

Automate SSL Certificate Issuance with Win-ACME

Win ACME is the best way to automatically manage SSL Certificates for Windows IIS.

Installation and Setup Win-ACME for Internal CA

  1. Download the latest version from the win-acme website.
  2. Extract the files to your desired folder. Win ACME Files Win ACME Files
  3. Now we have to change the endpoint from let’s encrypt to your organizations ACME Agent. To do this, we first have to open the settings_default.json file.
  4. In the ACME section, change the let’s encrypt URLs for your organizations agent URL. Win ACME setting change Win ACME setting change
  5. Save the file changes.
  6. Now we are ready to start requesting certificates.

Requesting Certificates with Win-ACME

  1. Navigate to the folder where win-acme was installed. Win ACME Files Win ACME Files
  2. Open the wacs.exe program. Win ACME application Win ACME application
  3. Enter “M” for manual issuance.
  4. Select 1 for reading the binding from IIS. (This will look at your IIS site bindings and will request a certificate containing the domains in your binding).
  5. Select the site you want to create the certificate for. Win ACME application Win ACME application
  6. Select which bindings you want to issue the certificate for.
  7. Enter a friendly name for the certificate.
  8. Enter ‘2’ for win-acme to serve the correct challenge on the site. Win ACME application Win ACME application
  9. Select the key type you would like to use.
  10. Select where to store the certificate. (We recommend the Windows Certificate Store) Win ACME application Win ACME application
  11. Select Update bindings. (This will automatically change your binding to use the new certificate when the certificate is renewed.)
  12. Select the same site for installation.
  13. Select no additional steps Win ACME application Win ACME application
  14. Read the terms and conditions.
  15. If you agree with the terms and conditions select that you agree with the terms and conditions.
  16. Enter the emails of the owners of this certificate/Site.
    Note

    This emails must be part of your active directory. If they cannot be verified with Active Directory the request will fail.

  17. After this, the request process will automatically start and a task to automatically update your certificate will be added to task scheduler. Win ACME application Win ACME application
  18. Your IIS certificate management is now automated!