Install an ACME SSL Certificate on Windows IIS using SeFlowSSL CaaS (Sectigo ACME)

Install an ACME SSL Certificate on Windows IIS using SeFlowSSL CaaS (Sectigo ACME)

This guide explains how to install and configure an SSL/TLS certificate on Microsoft Internet Information Services (IIS) using SeFlowSSL CaaS (Sectigo ACME) and the win-acme client.

Win-acme is one of the most popular ACME clients for Windows and allows automated SSL certificate issuance, installation, and renewal directly within IIS.

Prerequisites

• Administrative access to the Windows server.
• Microsoft IIS installed and configured.
• Domain correctly pointing to the server.
• ACME credentials provided by SeFlowSSL CaaS.
• Hostname already configured in the IIS site bindings.

Step 1. Download win-acme

Download the latest win-acme release from the official website:

https://www.win-acme.com/

Extract the ZIP archive to a local folder, for example:

C:\Program Files\win-acme\

Run wacs.exe with administrator privileges.

Step 2. Install the SSL Certificate

Open PowerShell as Administrator and run the following command, replacing the example values with the credentials provided by SeFlowSSL CaaS.

wacs.exe --target iis ^
--host yourdomain.com,www.yourdomain.com ^
--installation iis ^
--validation selfhosting ^
--store certificatestore ^
--accepttos ^
--baseuri https://YOUR_ACME_SERVER/directory ^
--eab-key-identifier YOUR_EAB_KID ^
--eab-key YOUR_EAB_HMAC_KEY

Parameters to customize

• YOUR_ACME_SERVER is the ACME endpoint provided by SeFlowSSL CaaS.
• YOUR_EAB_KID is the External Account Binding identifier.
• YOUR_EAB_HMAC_KEY is the EAB authentication key.
• yourdomain.com is the primary domain.
• www.yourdomain.com represents additional domains or aliases.

Step 3. Verify the Installation

After the installation completes, open Internet Information Services (IIS) Manager.

1. Select the target website.
2. Open Bindings.
3. Verify that an HTTPS binding exists on port 443.
4. Confirm that the newly installed certificate is assigned to the website.

Verify Automatic Renewal

Win-acme automatically creates a Windows Scheduled Task to handle certificate renewals.

To verify the renewal configuration:

wacs.exe --list

To manually test certificate renewal:

wacs.exe --renew --baseuri https://YOUR_ACME_SERVER/directory

Final Verification

Once installation is complete, access the website using HTTPS and verify that the certificate has been successfully issued through SeFlowSSL CaaS (Sectigo ACME).