Partner Subscriptions: ACME automation guide for Microsoft IIS
Use this guide to issue and install a public trust certificate on Microsoft IIS using simple-acme for DigiCert Partner Subscriptions.
Before you begin
ACME credential prerequisites
Before you begin, get the following ACME credentials from your DigiCert partner contact:
Notice
Partner note: These ACME credentials are provided in the API response when creating an ACME contract. See the Create ACME contract endpoint.
ACME directory URL
Example ACME directory:
https://www.digicert.com/partner-subscription/api/v1/acmeExternal account bindings (EAB) key identifier, also called the KID
Example KID:
zcwmKf9sCnDUZsbCOgnv1ijy46l6UeEYCavSQQirl-gEAB HMAC key
Example HMAC key:
RHZraHBXQUxWTEFGdFhndjRVNmV3S3F6c2VNZDM1QzRURGhjdHF3S1NublJjN3dhVUFObzA0SXJwVHBnU2xnR
simple-acme and IIS prerequisites
Before you start, make sure you have:
Windows Server 2016 or later with the IIS role installed.
The target IIS site is already bound to the hostname you want to secure.
Local administrator rights. simple-acme must run from an elevated PowerShell session.
.NET Desktop Runtime 8 or later installed.
simple-acme downloaded and extracted to
C:\Program Files\simple-acme.Download simple-acme from https://simple-acme.com/
Issue and install a certificate using DNS-01 domain validation
Use DNS-01 when you need a wildcard certificate or when the server isn’t reachable on TCP port 80.
Notice
Another prerequisite: You need programmatic access to the public DNS zone for the domain. For example, Route 53, Azure DNS, Cloudflare, GoDaddy, or a custom script.
The example instructions use the built-in Route 53 plugin. For other DNS providers, replace the Route 53 validation options with the appropriate simple-acme validation options for your DNS provider.
From an elevated PowerShell prompt, go to the simple-acme directory.
Replace the bracketed values and run the following command:
.\wacs.exe --source manual ` --host "*.example.com,example.com" ` --validation route53 --validationmode dns-01 ` --route53accesskeyid "<AWS_ACCESS_KEY_ID>" ` --route53secretaccesskey "<AWS_SECRET_ACCESS_KEY>" ` --store certificatestore --certificatestore WebHosting ` --installation iis --siteid <IIS_SITE_ID> ` --baseuri "<ACME_DIRECTORY_URL>" ` --eab-key-identifier "<KID>" --eab-key "<HMAC_KEY>" ` --emailaddress "<ADMIN_EMAIL>" --accepttos
simple-acme does the following:
Creates a TXT record at
_acme-challenge.<hostname>for each name on the order.Waits for propagation.
Completes the DNS-01 challenge.
Removes the TXT records.
Saves the certificate to
Local Computer > Web Hosting.Binds the certificate to the IIS site on TCP port 443
Creates a daily Windows Scheduled Task to handle renewals.
Issue and install a certificate using HTTP-01 domain validation
Notice
Another HTTP-01 prerequisites: Inbound TCP port 80 must be open from the public internet to the IIS site.
From an elevated PowerShell prompt, go to the simple-acme directory.
Replace the bracketed values and run the following command:
.\wacs.exe --source iis --siteid <IIS_SITE_ID> ` --host "www.example.com,example.com" ` --validation selfhosting --validationmode http-01 ` --store certificatestore --certificatestore WebHosting ` --installation iis ` --baseuri "<ACME_DIRECTORY_URL>" ` --eab-key-identifier "<KID>" --eab-key "<HMAC_KEY>" ` --emailaddress "<ADMIN_EMAIL>" --accepttos
simple-acme does the following:
Registers the ACME account with EAB.
Completes the HTTP-01 challenge.
Saves the issued certificate to
Local Computer > Web Hosting.Binds the certificate to the IIS site on TCP port 443.
Creates a daily Windows Scheduled Task to handle renewals.
What's next
After simple-acme validates the domains, the certificate is issued and installed on your Windows Server 2016 or later. simple-acme also creates a scheduled task to manage certificate renewals.