How to Automate InCommon SSL Renewals with WinACME on Windows Server and IIS

ACME (Automatic Certificate Management Environment) allows certificates to be auto-enrolled and installed without going through the manual process of requesting and installing a cert on a server. The following describes how to request/renew a SSL certificate for a basic Windows server running IIS with defaults, single site and no customization.

This article applies whether you are requesting a SSL certificate for the first time or are requesting a renewal.

Submit a request here.

Once your request has been approved, you will receive an email containing the following that you will need for the next steps. Open Notepad or a text editor, copy and paste the following values into a text editor to save it as reference for the client set ups below:

  • Key ID
  • HMAC Key

Prerequisites

The host firewall needs to allow outbound traffic from the server on ports 80/443 to the Sectigo servers.

Instructions

1.      Go to https://www.win-acme.com/ and download the win-acme client. Extract files and store it on the server, preferably in a location like C:\Certs.

2.      Send a request to ITS Site License for ACME credentials for your site. Once your request has been approved, you will receive an email containing the following that you will need for the next steps. open Notepad or a text editor, copy and paste the following values into a text editor to save it as reference for step 3 below:

  • Key ID
  • HMAC Key

3.      Go to the directory where you extracted win-acme and create a copy of settings_default.json and rename it as settings.json.

4.      Replace the following *Uri values in settings.json with https://acme.sectigo.com/v2/InCommonRSAOV/
"Acme": {
     "DefaultBaseUri": "https://acme.sectigo.com/v2/InCommonRSAOV/",
     "DefaultBaseUriTest": "https://acme.sectigo.com/v2/InCommonRSAOV/",
     "DefaultBaseUriImport": "https://acme.sectigo.com/v2/InCommonRSAOV/",
     .....
},

5.      Change the “RenewalDays” value to your liking. The number entered will be “in X number of days from today” the certificate renewal will take place. For example, if 29 is entered, it will renew the certificate in 29 days for a 30-day certificate, which means it will renew 1 day before the certificate expires.

6.      Change “KeyBits” to 2048.

7.      Change “PrivateKeyExportable” to true.

7a.  Change "DefaultInstallation" to none if you do not want the request/renewal process to automatically install the certificate and restart the web server.
"Installation": {
     "DefaultInstallation": "none"
}

8.      The other values in the files can be left as defaults, or view the win-acme documentation to add other configurations: https://www.win-acme.com/reference/settings . Save the file when complete.

9.      Make sure IIS is running and listening on port 80.

10.  Check the IIS bindings to ensure there’s no port 443 enabled already. Edit the port 80 binding and put the hostname of the server.

Picture of IIS Window

11.  Run the Command Prompt as Administrator.

12.  Navigate to the directory that contains the win-acme client.

13.  Execute the following command to request a certificate and also set up auto-renewal by replacing the following values

  • baseuri: https://acme.sectigo.com/v2/InCommonRSAOV
  • your_email: Enter your email address
  • Key_ID: Paste the Key ID saved earlier
  • HMAC_Key: Paste the HMAC key saved earlier

    wacs.exe --baseuri <baseuri> --verbose --accepttos --emailaddress <your_email> --eab-key-identifier <Key_ID> --eab-key <HMAC_Key>

add --keepexisting if you want to keep the existing certificate. This can be used in conjunction with "DefaultInstallation": "none" in the json file mentioned above to keep using the existing certificate until you are ready to switch to the new certificate.

14.  The certificate request process will start. Choose “N” to create the certificate with default settings.

15.  Hit Enter to keep the Default Web Site.

16.  Choose A to pick all bindings.

17.  Confirm to continue.

18.  After this process completes, go to the certificate bindings in IIS and verify that a cert was generated and enrolled.

19.  Open the Task Scheduler to see that a scheduled task was created, and it should renew based on the RenewalDays parameter. Edit the scheduler per your liking.

20.  Certificate renewal emails from InCommon should have also been sent to your email address or the email that was specified.

Note: Change the “RenewalDays” value in settings.json file if you need to make any adjustments to when the renewal takes place.

Print Article

Related Services / Offerings (2)

Automated SSL Certificate Renewals
ACME (Automatic Certificate Management Environment) allows certificates to be auto-enrolled and installed without going through the manual process of requesting and installing a certificate.
SSL Certificates
UH departments, programs, and campuses may request unlimited free SSL certificates for university purposes.