bg-tutorials

How to Install an ACME SSL Certificate on Remote Desktop Protocol

Installing SSL on RDP used to be a manual process, but with ACME protocol support and tools like Win-ACME, it’s now possible to automate certificate issuance and renewal — even for commercial CAs like Sectigo and DigiCert that support ACME + External Account Binding (EAB).

Install ACME SSL on RDP

In this step-by-step guide, you’ll learn how to install an ACME SSL certificate on Remote Desktop Protocol (RDP) running on Windows Server. This setup works great for environments that require a public SSL certificate on RDP without relying on internal PKI or manual renewals.

Note: This guide shows how to install an ACME certificate on the Remote Desktop Protocol to secure your server. While many people refer to the client app as Remote Desktop Connection, it’s RDP — the protocol that actually needs the SSL certificate. For larger environments using Remote Desktop Services (RDS), the steps are the same.


Before You Begin

Here’s what you need to get started:

  • Administrator access to the Windows Server (via RDP or physical login)
  • The domain you’ll secure must point to this server (DNS must resolve correctly)
  • Port 80 must be open and reachable from the internet (for HTTP-01 ACME validation)
  • You must have the following ACME credentials from your CA:
    • ACME Directory URL
    • External Account Binding (EAB) Key ID
    • EAB HMAC Key

This guide assumes you’re using a commercial CA that supports ACME + EAB (like Sectigo or DigiCert). Let’s begin.


Step 1: Download and Set Up Win-ACME

First, let’s install the tool that automates your certificate issuance and installation.

  1. Go to the official Win-ACME site: https://www.win-acme.com/
  2. Download the latest stable .zip release.
  3. Extract it to a permanent folder, e.g., C:\Program Files\win-acme\
  4. Open a PowerShell window as Administrator and run this command to test the install:
    & "C:\Program Files\win-acme\wacs.exe"
  5. If the Win-ACME console opens with menu options, you’re good to go. If it doesn’t, check that the folder path is correct and that PowerShell has script permissions enabled.

Step 2: Request and Install the SSL Certificate for RDP

Now, let’s generate your SSL certificate using ACME and bind it automatically to your RDP service. Paste and customize this command in PowerShell:

& "C:\Program Files\win-acme\wacs.exe" `
--target manual `
--host "rdp.yourdomain.com" `
--validation selfhosting `
--store certificatestore `
--installation rdp `
--baseuri "https://your.acme-server.com/directory" `
--eab-key-identifier "YOUR_EAB_KID" `
--eab-key "YOUR_EAB_HMAC_KEY" `
--accepttos

What this does:

  • Tells Win-ACME to request a cert for rdp.yourdomain.com
  • Performs domain validation using the built-in temporary web server
  • Stores the certificate in the Windows certificate store
  • Binds the certificate to RDP automatically

Important: Make sure port 80 is not blocked by a firewall or already used by another service, like IIS.


Step 3: Test RDP Connection Over HTTPS

Once Win-ACME completes the process, your certificate is installed and bound to RDP. It’s time to test it.

  1. Open Remote Desktop Connection (mstsc.exe).
  2. Enter your hostname (e.g., rdp.yourdomain.com)
  3. Connect and verify the certificate — it should no longer throw a warning about an untrusted or expired cert.

Step 4: Automatic Renewal Setup

By default, Win-ACME creates a scheduled task in Windows Task Scheduler to renew the certificate before it expires.

To list all renewal configs, run:

& "C:\Program Files\win-acme\wacs.exe" --list --baseuri "https://your.acme-server.com/directory"

Make sure this matches the correct baseuri and domain. If it doesn’t show anything, you might be using the wrong directory URL.


Common Questions

Here are some of the most frequent things users ask when setting up an ACME certificate for Remote Desktop. From troubleshooting to clarification on plugins and automation, we’ve got you covered:

Do I need to open port 443?

No, only port 80 (HTTP) is needed during domain validation via HTTP-01 challenge. RDP uses port 3389 after the cert is applied.

Will this work on Windows Server Core?

Yes, as long as PowerShell and Win-ACME are available. The rdp plugin doesn’t require a GUI.

Do I need IIS for this to work?

Nope. Win-ACME can run standalone and uses its own built-in web server for validation.

What if the Win-ACME console doesn’t open?

Ensure PowerShell is run as Admin and check that you’re pointing to the correct wacs.exe location. Re-extract the ZIP if it was blocked or corrupted during download


Final Words

You’ve just learned how to install an ACME SSL certificate on Remote Desktop Protocol using Win-ACME. With secure HTTPS setup, automatic renewal, and full support for commercial Certificate Authorities, your Remote Desktop environment is now protected with minimal manual effort.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.