Protect your IIS HTTPS Web Site with a Let’s Encrypt Certificate

In these days no web site should run on http but instead on httpS. a certificate can be easily requested and issued by the Let’s Encrypt Certificate Authority. What you need is a ACME (Automatic Certificate Management Environment) Client.

A list of ACME clients is published and regularly updated on the let’s encrypt web page:

In this article we’ll use the Win-ACME Client.
At the time of writing this article, the current version of the Win-ACME Client was v2.1.8.838

Download and extract

Download and extract the Win-ACME Client. When unpacking the archive, consider to chose a location, where the Win-ACME Client will reside for the next ‘years’ since once you get a certificate issued, the Win-ACME Client will create a Scheduled Task which will run every now and then to make sure your certificate will get updates once it expires ..

Extract the Win-ACME Client Archive

Start WACS.exe (elevated, as admin!) -> Windows will warn you ‘Windows protected your PC’ – you can safely ignore that message and click on Run anyway

Select N for Create certificate (default settings)

Choose the site you want to protect with a certificate:

you can choose A or P -> i prefer to choose P because i want to select the binding, then for the search pattern i type: since this is the web site i want to protect.

provide en e-mail address, select yes/no twice. now make sure your web-server can be reached using port 80 otherwise the CSR will fail!

now you can optionally check your scheduled tasks. you’ll most probably find a scheduled task named win-acme renew (

you can also use this script to get query your system for the scheduled task (although the name of the task may vary)

Get-ScheduledTask -TaskName "win-acme renew (" | fl