Take advantage of ACME automation on a Windows Server as well

24 Feb 2022 | Jindřich Zechmeister

The ACME protocol is a modern automation tool used mainly on Linux servers, while it is not as widespread in Windows ecosystems. Would you like to automate the certificates on your Windows Server, but do not know how? We will show you how easily you can use ACME on the Windows Server - including certificate settings and automatic renewal.

What is ACME for?

To begin with, let's briefly recall what the ACME protocol is for and what its invaluable advantage is. Wikipedia defines it as a communications protocol for automating interactions between certificate authorities and their users' web servers, allowing the automated deployment of public key infrastructure at very low cost.

With ACME, you can easily apply for and obtain a TLS certificate from a trusted CA. The whole process is taken care of by the ACME bot, which can usually deploy the new certificate to the web server. The use is widespread in the Linux server environment, but on the contrary, in the Windows environment, many administrators still do not know the ACME bot, which could even install the certificate.

Prerequisites for using the ACME certificate

To automate the acquisition and deployment of a certificate using the ACME protocol, a few prerequisites need to be met.

Since the issuance of a certificate after its request via the ACME protocol is automatic, it is of course necessary to perform the applicant verification before the actual certificate's request. Pre-verified domains are added to this.

Just let us know you are interested in ACME. Then our support will verify your organization with DigiCert and also verify the domains you want to secure. The last step is to generate ACME approaches unique to each product. So if you want to issue, for example, a Thawte OV and Thawte EV certificate, you will have a unique ACME key for each of them, with which you will determine in the client exactly which certificate should be issued for a given domain.

You will then agree on a form of billing with SSLmarket merchants - preferably with pre-charged credit. It is also possible to get a one-time invoice for a certain number of certificates.

Attention: The DigiCert certification process has been simplified. The request does not authenticate the domain via the DNS/FILE challenge because the domain is already authenticated with the organization.

Choosing the right client and its settings

There is a large number of ACME clients available, the most common one is Certbot. You will definitely not make a mistake with this choice. However, the vast majority of available clients are designed for Linux servers or other similar platforms, and virtually none have a GUI. ACME clients are typically controlled via the command-line interface.

There are a number of options available for Windows and Windows Server, but you will often find that the client cannot complete the acquisition and installation process. The most problematic feature of ACME clients for Windows is the inability to deploy (bind) a new certificate in IIS. Some clients also offer a graphical user interface (GUI), but it is not clear whether they will work well and especially whether they will work with the ACME implementation of DigiCert.

We decided to find and recommend a specific, fully functional solution and a client that can not only obtain a certificate from DigiCert, but also install it. It is a win-acme client, which you can download from the the official website.

How to set up and use win-acme

As we mentioned above, to authenticate to DigiCert, the ACME client needs a key, which we supply and you set up in the win-acme client.

Download the client from the official website and unzip it. Do not run the program yet and open the setting.json file instead. In this text file, you will see three ACME URLs in the "Acme" section, change them all to "https://acme.digicert.com/v2/acme/directory/". Otherwise, the program will not know it should communicate with DigiCert ACME.

Only after these modifications can you run the wacs.exe file. You will probably see a Smartscreen warning because the application is not digitally signed. You have to get around that.

Win-acme offer at startup
Win-acme offer at startup

After starting the application, do not try to issue a certificate immediately, you must first set up the ACME credentials. Select O (More options) first and then A (Acme details). The program will prompt you to enter the Key Identifier and then the Key in Base64 - you will receive both data from us as KID and a HMAC key (so named). Enter them in shorter order and then longer. After entering, return to the main menu.

Proceed to the issuance of the certificate. Select N from the main menu and be guided by the wizard. When retrieving a new certificate, it retrieves Sites data in IIS and offers it to you for selection. Simply choose which domain you want to use as the CN of the certificate.

It first asks you for the website to scan and then gets the hostname from IIS. Dialogues are confirmed with the answer y(es) or n(o) and the default option is always highlighted. In the subsequent dialogue, the win-acme bot will show you the bindings it found at the given hostname. It is a list of domains and certificates linked to them. Again, you choose the correct option, or you can confirm the default choice (typically if you have only one website in IIS).

Subsequently, win-acme will connect to DigiCert via the ACME protocol and try to obtain a new TLS certificate. Let us remind you that the ACME keys generated by us determine what certificate it will be and for whom it will be issued.

After the certificate is issued, which typically takes a few seconds, the new certificate is set to the previously selected domain in IIS, so you do not have to laboriously import the certificate and edit the Bindings. Below you can see the confirmation of the successful certificate issuance and the confirmation that it was assigned to the selected domain in IIS. It is active from that moment and everything is done!

Potvrzení úspěšného vydání a nabindování certifikátu
A confirmation of successful certificate issuance and installation

You do not need to worry about renewing the certificate. The win-acme client creates an event on the given server/station, which is repeated daily. Any expiring certificates will be launched and renewed every day.

Conclusion

The ACME protocol is a powerful helper to automate the certificate lifecycle. Do not hesitate to deploy it, as it can save you hundreds of hours a year spent manually managing TLS certificates. Contact our SSLmarket support to obtain an ACME URL.