ACME Client on Windows

ACME

Introduction

The ACME protocol is a network protocol designed to automate the process of domain validation, deliverance and renewal of X.509 certificates. The process is set up between an ACME server and an ACME client.

WinCertes is an ACMEv2 client designed for Windows. Based on the Certes library, WinCertes’ purpose is to manage the automatic issuance and renewal of SSL certificates for IIS server but also other web servers able to run on a Windows Server.

Overview

WinCertes is a simple and efficient CLI-based client made to run on any Windows Server higher than Windows Server 2008 R2 SP1 (64 bits) and running .Net 4.6.1 or higher.

The client fully supports ACMEv2 including its latest feature, the support of wildcard certificates (*.exemple.com).

WinCertes eases certificate installation and renewal by automatically binding them to the appropriate web site on IIS and by creating a Scheduled Task that will check the expiration date of the certificates and trigger a renewal if necessary.

WinCertes offers the possibility to launch a PowerShell script upon the successful retrieval of a certificate. This feature enables advanced deployment on Exchange or multi-servers for instance.

The client supports two validation modes for validating the identity of the certificate requester:

  1. HTTP challenge validation
    • With the ability to support the running IIS web server or to use an embedded standalone web server for easier configuration.
  2. DNS challenge validation
    • Support for Windows DNS Server
    • Support for acme-dns

For more information on the ACME protocol and the different validation mode, please refer to the following article: ACME Protocol.

WinCertes was developed under the General Public License v3 (GPLv3).

Certificate Request

To request a certificate using WinCertes, the Windows command line (cmd.exe) must be run as Administrator.

Then WinCertes requires only a few parameters to request a certificate:

Parameter Description
-d [VALUE] The domain(s) to enroll.
-w Toggles the local web server use and sets its ROOT directory (default c:\inetpub\wwwroot).
Activates HTTP validation mode.
-b [VALUE] The name of the IIS web site to bind the certificate to.
-p Used to make WinCertes create a Scheduled Task to handle certificate renewal.

For instance:

WinCertes.exe -d test1.example.com -d test2.example.com -w -b “Default Web Site” -p

There are many more options to customize the requests to specific needs.

For more information, visit the official web page of WinCertes.

Use case

By default, WinCertes will request a certificate using the Let’s Encrypt CA but there are several use cases where one would prefer to request a certificate from another CA.

The following example is a more customized request where the request is made to an internal CA through a third party ACME proxy.

For more information on the ACME proxy used in this example, visit the EverTrust TAP page.