SSL Automation

Windows setup

FairSSL ACME automates certificate renewal on Windows Server. With simple-acme (formerly win-acme) you get full automation for IIS, Exchange, RDP Gateway, SQL Server and ADFS, with no manual steps after initial setup.

Supported platforms

IIS 8+

Windows Server 2012+

Full automation of certificate binding, renewal and installation. Supports SNI and multiple sites.

IIS 6-7.5

Legacy (Server 2003-2008 R2)

Limited support. Certificates can be issued, but manual binding may be required. Consider upgrading.

Exchange Server →

2013, 2016, 2019

Automatic renewal of Exchange certificates. simple-acme can install directly into the Exchange certificate store.

Remote Desktop Services →

RDP Gateway, Web Access

Automate RDP gateway certificates. Avoid the annual manual renewal that disrupts remote users.

SQL Server

TLS-encrypted connections

Certificates for encrypted SQL Server connections. simple-acme installs into the Windows certificate store.

ADFS

Active Directory Federation

Automatic renewal of ADFS service communication and token-signing certificates.

Dynamics NAV / BC →

NAV 2018, Business Central on-prem

Microsoft Dynamics NAV and Business Central on-premise. simple-acme installs the certificate in Windows and updates the NAV/BC service tier configuration.

PRTG Network Monitor →

Paessler PRTG

PRTG Network Monitor. simple-acme fetches the certificate, converts it to PRTG's expected PEM/Key format and restarts the PRTG Core service.

Custom Windows service

Post-renewal scripts

Arbitrary Windows services. Use simple-acme with post-renewal scripts that export PEM/PFX and restart the service the certificate is bound to.

Recommended client: simple-acme

simple-acme (formerly win-acme) is the leading ACME client for Windows. FairSSL sponsors the project and collaborates directly with its developers.

Features

✓ Open source (Apache 2.0 licence)
✓ Interactive text interface (TUI) and CLI
✓ Supports ARI (smart renewal)
✓ Supports EAB (FairSSL account binding)
✓ Automatic Task Scheduler setup

Supported

✓ IIS certificate binding (incl. SNI)
✓ Windows Certificate Store
✓ PEM/PFX file export
✓ Exchange, RDP, ADFS installation
✓ Post-install scripts (PowerShell)

Important: Adjust Settings.json

Extract simple-acme to e.g. C:\simple-acme. Open Settings.json and set RenewalDays to 365 and RenewalMinimumValidDays to 15. With ARI, simple-acme will automatically renew at the optimal time, but these values ensure renewal always happens with at least 15 days of margin.

simple-acme

# Run in an administrator command prompt

wacs.exe --baseuri "https://fairssl.dk/acme" --verbose ^
  --eab-key-identifier dhgbKR8K73PgqAxIij6CDg ^
  --eab-key QAx4jKmABqeYCXGZ1H7-eqG2qkPCtflHo5r51TWpebs ^
  --accepttos

simple-acme will interactively ask which sites you want to protect. Domain validation is handled automatically via FairSSL Auto DNS. EAB keys are generated in the FairSSL portal under "Connect ACME client".

Posh-ACME (PowerShell)

# Install the Posh-ACME module and create an account

Set-PAServer -DirectoryUrl 'https://fairssl.dk/acme'

New-PAAccount `
  -ExtAcctKID 'dhgbKR8K73PgqAxIij6CDg' `
  -ExtAcctHMACKey 'QAx4jKmABqeYCXGZ1H7-eqG2qkPCtflHo5r51TWpebs' `
  -AcceptTOS

New-PACertificate 'www.your-domain.com','your-domain.com' `
  -DirectoryUrl 'https://fairssl.dk/acme' `
  -Plugin Manual `
  -PluginArgs @{ManualNonInteractive = $true}

Remember to create a daily task in Task Scheduler to run Submit-Renewal for automatic renewal.

Guided setup in the FairSSL portal

The FairSSL customer portal has an interactive setup wizard that generates a complete installation guide tailored to your server. You do not need to be an ACME expert to set it up.

Choose platform and server type

Windows or Linux, then server type (IIS 8+, Exchange, RDP, SQL Server, ADFS and more)

Enter domain names

Specify common name and any SAN domains (e.g. www.example.com, example.com)

Receive a tailored guide

The portal generates a step-by-step guide with the exact command for your server, including your EAB keys and domain names

Example: Generated command for IIS 8+ with automatic binding

wacs.exe --verbose ^
  --baseuri "https://fairssl.dk/acme" ^
  --eab-key-identifier YOUR_EAB_KID ^
  --eab-key YOUR_EAB_HMAC ^
  --accepttos ^
  --source manual ^
  --host "www.example.com,example.com" ^
  --friendlyname "fairssl-acme-www.example.com" ^
  --store certificatestore --certificatestore My ^
  --validation none ^
  --installation iis

EAB keys, domain names and friendly name are filled in automatically with your values. Domain validation is handled via FairSSL Auto DNS.

Verify and adjust configuration

The guide includes tips for verifying that the certificate is correctly installed, and recommended settings for automatic renewal

Start setup

Questions about Windows setup

Find answers to the most common questions about SSL certificates and FairSSL.

Does simple-acme work with load balancers?

Yes. FairSSL AutoDNS handles all domain validation automatically, so there are no dependencies on port 80 or routing of challenge requests. It works behind load balancers, firewalls and reverse proxies without extra configuration.

Can I use simple-acme on Windows Server 2008/2008 R2?

Server 2008 is end-of-life and does not support TLS 1.2 without manual patches. simple-acme requires .NET Framework 4.7.2+ or .NET 8. We strongly recommend upgrading to Server 2016 or newer.

What about Certify The Web as an alternative?

Certify The Web is a graphical Windows ACME client with good IIS integration. It works with the FairSSL ACME server: just enter our directory URL. We recommend simple-acme because it is open source, CLI-friendly and supports more server types.

Ready for automated SSL on Windows?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates