Windows Server 2022 SSL Certificate Rotation for IIS

Tags ssl server

Quick Links: | Overview, Requirements, and Preparation | Install Win-ACME | Issue and Install Certificate | Verify Automatic Renewal | Troubleshooting | Best Practices and Maintenance |

Overview, Requirements, and Preparation

This article explains how to rotate (issue, install, and automatically renew) SSL/TLS certificates on Windows Server 2022 using Let’s Encrypt and Win-ACME for IIS-hosted websites. You’ll learn how to install Win-ACME, create a certificate for an IIS site, confirm the HTTPS binding, verify the scheduled renewal task, and troubleshoot common validation and renewal issues.

These steps assume you have administrative access to the server via RDP and that IIS is already installed and configured for the target website(s). Perform certificate changes during a maintenance window to minimize disruption.

  • Server Environment: Windows Server 2022 (64-bit).
  • IIS Configuration: IIS installed with target site(s) configured, including HTTP (port 80) and HTTPS (port 443) bindings. Port 80 must be publicly accessible for HTTP-01 validation.
  • Domain Setup: The domain (example: cadewebapp.csuchico.edu) resolves to the server’s public IP via a DNS A record. Configure subdomains (example: www.cadewebapp.csuchico.edu) if needed.
  • Firewall Rules: Inbound TCP 80 allowed through Windows Firewall and any network firewall. For HTTPS-only setups, TCP 443 must also be open. You also need permission from ISEC to allow the ACME protocol, even if ports are already open.
  • Administrative Privileges: Log in as a local administrator.
  • Backup: Export existing certificates from the Local Computer certificate store (MMC > Certificates snap-in) before making changes.

Install Win-ACME

Win-ACME is distributed as a portable ZIP archive.

  1. Download Win-ACME
    • Go to the Win-ACME GitHub releases page
    • Download the current release file: win-acme.v[current version].x64.pluggable.zip (recommended; includes plugins).
    • If you suspect ARM64 (rare on Windows Server 2022), confirm the architecture in Command Prompt:
      • wmic os get osarchitecture (should return 64-bit for x64)
  2. Extract the ZIP
    • Save the ZIP to a temporary folder (example: C:\Temp).
    • Right-click the ZIP > Extract All to: C:\Program Files\win-acme.
    • Confirm the folder structure is preserved and includes wacs.exe.
  3. Verify installation
    • Browse to C:\Program Files\win-acme.
    • Confirm wacs.exe and supporting DLLs exist.
    • No MSI/setup is required; Win-ACME runs from the extracted folder.
  4. Optional: Create a shortcut
    • Right-click wacs.exe > Create shortcut.
    • Move it to the Desktop or Start Menu.
    • Always run as administrator.

Issue and Install Certificate

Use Win-ACME to request a new Let’s Encrypt certificate and install it into the Local Machine certificate store, then bind it to IIS.

  1. Launch Win-ACME as administrator
    • Right-click C:\Program Files\win-acme\wacs.exe > Run as administrator.
    • On first run, accept the license by typing A and pressing Enter.
  2. Create a certificate using default settings
    • At the main menu, type N and press Enter for Create certificate (default settings).
  3. Select the target IIS site
    • When prompted, choose the site number that matches your IIS site (example: CADEC_TEST hosting cadewebapp.csuchico.edu).
    • If no sites appear, verify IIS and bindings in IIS Manager:
      • Run inetmgr > Sites > select site > Bindings
  4. Add additional hostnames (optional)
    • If needed, include additional names (example: www.cadewebapp.csuchico.edu) when prompted.
    • Otherwise, press Enter to accept the default hostname from the IIS binding.
  5. Enter contact email
    • Provide a valid email (example: admin@csuchico.edu) for Let’s Encrypt notifications.
  6. Choose validation method
    • Select 1: HTTP validation (webroot) for HTTP-01 (recommended for IIS).
    • This places a temporary validation file under:
      • http://<your-domain>/.well-known/acme-challenge/
    • If port 80 is blocked, choose 2: DNS validation and configure the appropriate DNS plugin (requires API credentials).
  7. Complete issuance
    • Win-ACME validates the domain and requests a certificate (typically valid for 90 days).
    • The certificate is installed to Local Computer > Personal and applied to the IIS HTTPS binding automatically.
    • Record the thumbprint and any renewal details shown in the output.
  8. Verify HTTPS and IIS binding
    • Browse to https://<your-domain> and confirm the certificate issuer is Let’s Encrypt and the expiration is in the future.
    • In IIS Manager: Site > Bindings > edit the https binding and verify the selected certificate.
    • In MMC: mmc.exe > Add/Remove Snap-in > Certificates (Local Computer) > Personal > Certificates, confirm the new certificate appears.

Verify Automatic Renewal

Win-ACME typically creates a scheduled task that runs daily to renew certificates when they approach expiration (often within 30 days).

  1. Open Task Scheduler
    • Press Windows + R, type taskschd.msc, press Enter.
  2. Find the Win-ACME renewal task
    • In Task Scheduler Library, search (Ctrl + F) for win-acme or renew.
    • Expected task name: win-acme renew (or similar, possibly inside a win-acme folder).
    • Optional PowerShell check (run as administrator):
      • Get-ScheduledTask | Where-Object {$_.TaskName -like "*win-acme*" -or $_.TaskPath -like "*win-acme*"} | Format-Table TaskName, TaskPath, State
  3. Confirm task settings
    • General: Enabled, Run with highest privileges, and Run whether user is logged on or not.
    • Triggers: Daily trigger (example: 2:00 AM).
    • Actions: Start program C:\Program Files\win-acme\wacs.exe with arguments --renew.
    • Conditions/Settings: Adjust power-related conditions as needed; enable retry/restart on failure if available.
  4. Test the renewal task
    • Right-click the task > Run and confirm it completes (status returns to Ready).
    • Review logs at C:\ProgramData\win-acme\Logs and open the latest win-acme.log for results.
    • Optional: Run Win-ACME and select O: List scheduled tasks to confirm the task exists.

Troubleshooting

Review Win-ACME logs (C:\ProgramData\win-acme\Logs\win-acme.log) and Windows Event Viewer (Windows Logs > Application/System) for error details.

Installation or launch issues

  • “Access Denied”: Run wacs.exe as administrator.
  • Missing DLLs: Re-download and re-extract the ZIP; ensure antivirus did not quarantine files.
  • Architecture mismatch: Confirm x64 vs ARM64 and download the correct build.

Certificate issuance failures

  • HTTP-01 validation fails:
    • Confirm port 80 is open and listening: netstat -an | find "80"
    • Test external reachability (example): telnet <your-domain> 80
    • Ensure IIS can write to /.well-known/acme-challenge/ under the site webroot (verify site permissions).
  • DNS issues:
    • Confirm A record: nslookup <your-domain>
    • Allow time for propagation (up to 48 hours in some cases).
  • Rate limits: Let’s Encrypt may limit repeated/duplicate requests. Wait and retry later, or use testing options (staging) during troubleshooting.
  • More detail: Re-run Win-ACME with verbose output for deeper troubleshooting.

Renewal task problems

  • Task not found (create manually):
    1. Task Scheduler > Create Task
    2. Name: win-acme renew
    3. General: Run with highest privileges; run whether user is logged on or not
    4. Triggers: Daily (example: 2:00 AM)
    5. Actions: Start a program: C:\Program Files\win-acme\wacs.exe with arguments --renew
    6. Save using appropriate admin credentials
  • Task fails to run: Check the History tab for errors (path, permissions). Right-click > Run to test.
  • Renewal fails: Verify prerequisites (port 80/DNS). Run manually for detail:
    • wacs.exe --renew --verbose
  • Certificate expired and urgent: Force renewal (use cautiously):
    • wacs.exe --renew --force

IIS binding problems

  • Certificate not bound: IIS Manager > Site > Bindings > Edit https > select new certificate.
  • Apply changes: Run iisreset from an elevated Command Prompt if needed.
  • Confirm thumbprint:
    • Get-ChildItem -Path Cert:\LocalMachine\My | Format-Table Subject, Thumbprint, NotAfter

Best Practices and Maintenance

  • Regular audits: Monthly, confirm certificate expiration and that the renewal task is still enabled and succeeding.
  • Monitoring: Implement alerting for renewal failures (Event Viewer/forwarding or third-party monitoring).
  • Security: Protect DNS API credentials (if using DNS validation) and update contact emails when staff changes.
  • Updates: Periodically check Win-ACME releases/community forks. Consider alternatives if your environment requires a maintained client.

 Still need help? Contact Information Security for further assistance.
  
 Help us improve our Knowledge Base! Click Yes or No below, then let us know what worked — or what didn’t. Your feedback helps us improve our content and provide the best possible support. 

Print Article