Setting up HTTPS for your IIS-hosted website is no longer a complex task. Thanks to the ACME protocol and tools like Win-ACME, you can now automate the issuance and renewal of trusted SSL certificates, even from commercial Certificate Authorities (CAs).

In this guide, you’ll learn how to install an ACME SSL certificate on Windows IIS using Win-ACME (WACS), with full support for External Account Binding (EAB), custom ACME directories, and multi-domain setups. This process works for business environments and commercial ACME-compatible CAs.
Before You Begin
You must have Administrator access to the Windows Server (via RDP or local login).
Your IIS website should already be running with at least an HTTP (port 80) binding configured for the domain. Win-ACME uses this for HTTP-01 domain validation.
You should have received the following from your CA:
- An ACME directory URL
- An EAB Key Identifier (EAB KID)
- An EAB HMAC Key
Step 1 – Download and Set Up Win-ACME
- Go to the official Win-ACME releases page: https://www.win-acme.com/
- Download the latest stable version of the ZIP archive.
- Extract the contents to a safe location, ideally: C:\Program Files\Win-ACME\
- Test that it works by running: C:\Program Files\Win-ACME\wacs.exe
If the command prompt opens with Win-ACME options, you’re good to go.
Step 2 – Request and Install the Certificate via ACME
You’ll use PowerShell to issue and install the SSL certificate using Win-ACME’s command-line interface.
Here’s the full command template:
& "C:\Program Files\Win-ACME\wacs.exe" `
--source iis `
--host "yourdomain.com,www.yourdomain.com" `
--store certificatestore `
--installation iis `
--baseuri "https://your.acme-server.com/v2/DV" `
--eab-key-identifier "YOUR_EAB_KID" `
--eab-key "YOUR_EAB_HMAC_KEY" `
--accepttos
Breakdown of flags:
- –source iis: Scans IIS for available sites to automate validation.
- –host: Comma-separated list of domains (use quotes if multiple).
- –store certificatestore: Saves the certificate in the Windows certificate store.
- –installation iis: Binds the certificate automatically to your site in IIS.
- –baseuri: Your CA’s ACME directory URL.
- –eab-key-identifier: Your EAB KID from the CA.
- –eab-key: Your EAB HMAC Key from the CA.
- –accepttos: Automatically accept the CA’s terms of service.
Tip: Add –verbose at the end if something goes wrong. It will give you detailed logs for troubleshooting.
Step 3 – Confirm the Certificate Installation
After the command runs successfully, visit your site in a browser. You should see a secure connection with a valid certificate. To confirm the HTTPS binding exists in IIS:
- Open Server Manager
- Go to Tools → IIS Manager
- Navigate to: [Your Server Name] → Sites → [Your Site] → Bindings
You should see an entry for port 443 with the correct certificate assigned.
Step 4 – Verify Renewal Configuration
Win-ACME automatically schedules a task in Windows Task Scheduler for certificate renewal.
To view your current scheduled ACME renewals, run:
& "C:\Program Files\Win-ACME\wacs.exe" --list --baseuri "https://your.acme-server.com/v2/DV"
You’ll see a list of configured renewals, tied to the specified ACME directory.
Win-ACME tracks certs per ACME server. If you forget the –baseuri, it may appear as if no certificate is configured.
Notes for Commercial CA Users
This guide supports any CA that offers ACME + EAB credentials. Ensure that:
- Your ACME URL is reachable from your server
- Your EAB credentials are entered exactly as provided (no extra whitespace)
- Your domain points to your server before issuance (DNS must resolve)
Final Words
You now know how to install an ACME SSL certificate on Windows IIS using Win-ACME and a commercial certificate authority. From domain validation to IIS binding and automated renewal, your certificate is set up to work reliably, without manual renewal headaches.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

