SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account
Exchange Advanced ~5 min. read

Exchange Server: Automating SSL/TLS Certificates with simple-acme

How to automate SSL/TLS certificate renewal on Exchange Server using the simple-acme ACME client. Covers Exchange 2013, 2016, and 2019.

Exchange Server: Automating SSL/TLS Certificates with simple-acme

This guide demonstrates how to configure automated SSL/TLS certificate renewal on Exchange Server using simple-acme. This setup ensures you never have to worry about manual certificate renewal, installation, or service binding again.

Why use ACME for Exchange?

  • Automated renewal – certificates are renewed and provisioned without manual intervention.
  • No CSR generation – the ACME protocol handles key pair generation and certificate issuance automatically.
  • No downtime – the certificate is automatically bound to IIS, SMTP, IMAP, and POP services.
  • Eliminate human error – removes the risk of expired certificates disrupting mail flow.

Prerequisites

  • Exchange Server 2013, 2016, or 2019.
  • Windows Server with administrator privileges.
  • DNS hostnames (e.g. mail.fairssl.dk, autodiscover.fairssl.dk) pointing to the server.
  • An ACME account with a Certificate Authority (such as Let's Encrypt or FairSSL).

Step 1 – Download and install simple-acme

Download simple-acme from simple-acme.com and extract it to C:\simple-acme or %ProgramFiles%\simple-acme.

Step 2 – Choose a Domain Validation Method

The ACME protocol requires proof of domain ownership before a certificate can be issued. There are two primary methods:

HTTP-01 Validation

The CA verifies the domain by requesting a specific file from your web server over HTTP port 80.

  • Requirements: Port 80 must be open and accessible from the internet.
  • Pros: Straightforward setup – simple-acme handles this automatically via IIS.
  • Cons: Does not support wildcard certificates or servers behind restricted firewalls/load balancers.

Use the --validation selfhosting parameter in your simple-acme command.

DNS-01 Validation

The CA verifies the domain by checking a TXT record in your DNS configuration.

  • Requirements: API access to your DNS provider (e.g. Cloudflare, Azure DNS, Route53).
  • Pros: Works behind firewalls, with load balancers, and supports wildcard certificates.
  • Cons: Requires DNS API integration.

Use the --validation dns-01 parameter alongside the relevant DNS plugin.

FairSSL Customers: Domain validation is handled automatically with FairSSL Auto-DNS. You do not need to configure HTTP-01 or DNS-01 – simply use --validation none in the simple-acme command. Auto-DNS creates the required DNS records automatically via a one-time CNAME delegation.

Step 3 – Provision the certificate with simple-acme

Open the Exchange Management Shell as an administrator and navigate to your simple-acme directory.

Run the following command (adjusting hostnames and validation to match your environment):

Using Let's Encrypt (Free DV Certificate)

wacs.exe --source manual --host "mail.eksempel.dk,autodiscover.eksempel.dk" --csr rsa --validation selfhosting --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --script "./Scripts/ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP,POP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --friendlyname "mail.eksempel.dk" --accepttos

Replace --validation selfhosting with --validation dns-01 --dnsPlugin cloudflare (or your specific DNS provider) if using DNS validation.

Using FairSSL ACME (OV/DV Certificate)

wacs.exe --baseuri "https://fairssl.dk/acme" --eab-key-identifier DIN_EAB_KID --eab-key DIN_EAB_HMAC --source manual --host "mail.eksempel.dk,autodiscover.eksempel.dk" --csr rsa --validation none --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --script "./Scripts/ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP,POP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'" --friendlyname "mail.eksempel.dk" --accepttos

Your EAB KID and HMAC key are available in your FairSSL control panel after ordering an ACME certificate.

Parameter Overview

ParameterDescription
--baseuriThe ACME server URL (omit for Let's Encrypt).
--eab-key-identifier / --eab-keyExternal Account Binding – required for FairSSL, not for Let's Encrypt.
--source manualSpecifies that hostnames are provided manually.
--hostA comma-separated list of domains.
--validationselfhosting (HTTP-01), dns-01 (DNS), or none (FairSSL Auto-DNS).
--installation iis,scriptInstalls the certificate in IIS and executes the Exchange script.
--scriptThe PowerShell script that enables the certificate for Exchange services.
--scriptparametersThe services to enable: IIS, SMTP, IMAP, POP.
--friendlynameAn optional name for the certificate in the Windows Certificate Store.

Step 4 – Verify Exchange Services

Run the following in the Exchange Management Shell to verify the certificate is active:

Get-ExchangeCertificate

The new certificate should display IPWS (or similar) under the Services column – indicating that IIS, POP, Web, and SMTP are correctly bound.

Get-WebBinding

Confirm that the Default Web Site is using the new certificate.

Step 5 – Verify IIS Bindings

Open IIS Manager and check the following:

  • The Default Web Site must be using the new ACME certificate.
  • The Exchange Back End site must continue to use the internal Exchange certificate (typically named "Microsoft Exchange").

Warnings

Internal Exchange Certificate: Exchange requires a valid internal certificate for the "Exchange Back End" website. This certificate is usually named "Microsoft Exchange" and is created during the Exchange installation. Ensure you keep this updated separately – the ACME certificate does not replace it.
Wildcard Certificates: While Exchange can use a wildcard certificate for OWA and EWS, it cannot be used for SMTP, IMAP, or POP unless the specific FQDN is also included in the certificate's SAN list. If using a wildcard, include the explicit hostnames as well (e.g. --host "*.example.com,mail.example.com,autodiscover.example.com").

Troubleshooting

  • Certificate installed but services not working: Ensure the ImportExchange.v2.ps1 script executed correctly. Run Get-ExchangeCertificate to check service activation.
  • HTTP-01 validation fails: Port 80 is likely blocked by a firewall. Switch to DNS-01 or use FairSSL Auto-DNS instead.
  • Renewal fails silently: Check the log files in the simple-acme directory. Run wacs.exe --renew --force manually to test the renewal process.

FairSSL ACME Certificates for Exchange

FairSSL provides ACME automation for commercial certificates from DigiCert, GlobalSign, and Sectigo – including OV validation with your company name included in the certificate.

SAN Certificate (mail + autodiscover)from 1,000 DKK/year
Wildcard Certificatefrom 1,100 DKK/year
Installation Service500 DKK (complete setup via TeamViewer)

Read more about SSL automation · Auto-DNS Validation · ACME Clients · Installation Service

Tip: Use the --verbose flag for detailed troubleshooting: 
wacs.exe --verbose
Free Support: FairSSL customers using our ACME solution with Auto-DNS receive free support for setup and troubleshooting. Contact us via phone or email.

Strengthen your TLS security

Use IIS Crypto to easily configure secure TLS protocols and cipher suites on your Windows Server.

IIS Crypto TLS configuration guide
Back to guides

Ready to create a free account?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates