Installing a Free Let’s Encrypt TLS/SSL Certificate on IIS Web Server / RDS

In this article we will show you how to install and bind a free Let’s Encrypt TLS/SSL certificate for a website on an IIS web server running Windows Server 2019/2016/2012 R2.

ACME Encryptons and Clients for Windows

A website TLS/SSL certificate helps protect user data transmitted over the public network from man-in-the-middle (MITM) attacks and guarantees data integrity. The non-profit certification body Let’s Encrypt enables the automatic issuance of free X.509 TLS HTTPS encryption certificates via the API. Only domain validation certificates are issued and expire after 90 days (there is a limit of 50 certificates per domain per week). But you can automatically renew the SSL certificate of your site according to a simple schedule.

The Let’s Encrypt API for the automatic issuance of certificates is called the Automated Certificate Management Environment (ACME) API. There are 3 common client implementations of the ACME API for Windows systems:

  1. Windows ACME Simple (WACS) is a command line tool that allows you to interactively issue an SSL Certificate and link it to a specific site on your IIS web server;
  2. The ACMESharp Powershell module is a PowerShell library with a set of commands for interacting with Let’s Encrypt servers via the ACME-API;
  3. Certify is a graphical Windows tool for interactive management of SSL certificates using the ACME-API.

WACS Clint to install the Let’s Encrypt TLS certificate in IIS on Windows Server.

The easiest way to obtain a Let’s Encrypt SSL Certificate is by using the Windows ACME Simple (WACS) console tool (formerly called LetsEncrypt-Win-Simple). This is a simple wizard that allows you to select one of the sites running on IIS and automatically issue and link an SSL certificate to it.

Suppose you have an IIS website running on Windows Server 2016. Your task is to bring the website into HTTPS mode by installing a free SSL certificate from Let’s Encrypt.

Download the latest version of the WACS client from GitHub (in my case, that version is v2.0.10 – filename


Unzip the zip archive to the following directory on the server where IIS is installed: c:іnternetpublishersYou must install the .NET Framework 4.7.2 or later to use Win-Acme.


Open a command prompt, navigate to the c:inetpubletsencrypt directory and run wacs.exe. This marks the start of the interactive generation of the Cryptons and Lions certificate for the IIS site master. To quickly create a new certificate, choose N : – Create new certificates (only for IIS).

simple acmev2 client – create a new certificate for iis on windows server simple acmev2 client – create a new certificate for iis on windows server

You must then select the type of certificate. In our example, it is not necessary to use a certificate with aliases (multiple SANs – Subject Alternative Name), so only select point 1. A link to the IIS site. If you need a wildcard, select option 3.

The tool then displays a list of websites running on IIS and asks you to select the website for which you want to issue the certificate.


Include the email address to which certificate renewal notifications and other critical news and grievances should be sent (multiple email addresses may be specified, separated by commas). Just accept the terms of use and Windows ACME Simple connects to Let’s Encrypt’s servers and automatically tries to generate a new SSL certificate for your site.


The process of generating and installing SSL Certificates for IIS by Let’s Encrypt is fully automated.

By default, the domain validation is performed in the http-01 (SelfHosting) validation mode. To do this, you need a DNS domain record that points to your web server. If you perform WACS in Manual mode (Full Options), you can select the scan type – 4 [http-01] Create a temporary application in IIS (recommended). In this case, a small application is created on the IIS web server that the Let’s Encrypt servers can use to perform domain validation.
Note – During the TLS/HTTP check, your website must be accessible from the Internet under the full DNS name via HTTP (80/TCP) and HTTPS (443/TCP).

The WACS tool stores the private key of the certificate (*.pem), the certificate itself and some other files in C:Users%username%AppDataRoaming keyscrypt-win-simple. It then installs the generated SSL certificate in the background and links it to your IIS site. When an SSL certificate (such as a self-signed certificate) is installed on the website, it will be replaced by a new certificate.

In IIS Manager, open the binding settings of your site and make sure it uses a certificate issued by the X3 encryption authority.


This certificate appears as trusted on your computer when you have updated the Windows Trusted Root Certificate Authorities.

Ask IIS to encrypt the certificate in the certificate store of the computer under Web Hosting -> Certificates.


Windows ACME Simple creates a new task in the Windows task scheduler (win-acme-renew ( to update the certificate automatically. The stakes start daily and the renewal of the certificate takes place after 60 days. This task executes the command:

C:inetpubletsencryptwacs.exe –renew –baseuri

The same command can be used to manually update the certificate.


Switching from HTTP to HTTPS with URL rewrite from IIS

To redirect all incoming HTTP traffic to a URL of the HTTPS website, install the Microsoft URL rewrite module ( and make sure that the SSL requirements option is disabled in the website settings. Now configure the redirection in web.config using the :


You can also configure traffic redirection via the IIS Manager GUI using the Rewrite URL extension. Select Sites -> Your name -> Rewrite URL.


Create a new line Add a line -> Empty a line.

Enter a line name and change the values of the following parameters:

  • Requested URL : Corresponds to the model
  • Usage : Regular expressions
  • Model: (.*)


Under Conditions, change the logical grouping: Set everything and click on Add. Enter the following parameters:

  • Conditions for participation : {HTTPS}
  • Check if a string is entered: Adapts to the model
  • Model: ^OFF$


Now select in the action field :

  • Nature of the action: Diversion
  • Redirected URL: https://{HTTP_HOST}/{R:1}.
  • Hostage type: Permanent (301)

Open your browser and try to open your website with an HTTP address; you should be automatically redirected to an HTTPS URL.

Using certificate encryption with the RDS Gateway and Web Access

If you use RDS Gateway or RDS Web Access to connect remote users to the corporate network, you can use a trusted Let’s Encrypt SSL Certificate instead of a self-signed certificate. Let’s see how to properly install the Let’s Encrypt certificate to secure remote desktop services on the Windows server. If the RDSH roll is also installed on the Remote Desktop Gateway server, you must deny non-admin users access to the directory where WACS files are stored (c:inetpubl key encryption in my example) and have the certificate and keys encrypted (C:ProgramDatawin-acme).

Then run wacs.exe on the RD Gateway server as described above. Select the desired IIS site (usually the default site). Have Encrypt issue a new certificate and link it to the IIS website. The automatic certificate renewal task appears in the task scheduler.

You can export this certificate manually and link it to the desired RDS services using SSL. However, you must perform these steps manually every 60 days when renewing your Let’s Encrypt certificate.

We can use a PowerShell script to automatically bind a SSL certificate to the RDS Gateway after the Let’s Encrypt certificate is updated.

The win-acme project has a ready-to-use PowerShell script – ImportRDGateway.ps1 (, which allows you to install the selected SSL certificate for Remote Desktop Services. The main disadvantage of this script is that you have to manually enter the fingerprint of the new certificate:


Use the custom ImportRDGateway_Cert_From_IIS.ps1 script (based on ImportRDGateway.ps1) to automatically obtain the certificate fingerprint from the specified IIS site.

You can run this script manually:

powerhell -ImportRDGateway_Cert_From_IIS.ps1 file

If your RDS gateway runs on the standard index 0 of the IIS website, you can use the script without modifications. To retrieve the Site ID from the IIS, open and run the PowerShell console:

Administrative input module Getting-kinditem IIS: Sites|ft -AutoSize

The ID column shows the index of your site, subtracting one from it. The resulting index must be specified on line 27 of the PowerShell script instead of 0 :

$NewCertThumbprint = (Get-ChildItem IIS: SSLBindings) [0].Thumbprint

Now open the win-acme-renew-Scheduler task and add a new task on the Actions tab that runs the ImportRDGateway_Cert_From_IIS.ps1 script after updating the SSL certificate.

To avoid changing the PowerShell execution policy, you can execute the script with the command :

PowerShell.exe -ExecutionPolicy Bypass -File c:inetpubletsencryptImportRDGateway_Cert_From_IIS.ps1

link link

Now the script to bind the SSL certificate to RDS is executed immediately after the Let’s Encrypt certificate is updated. In this case, the command automatically restarts the RD gateway service:

Restart TSGateway service

When the TSGateway service is restarted, all current user sessions are disabled. It is therefore advisable to change the frequency of the certificate renewal task every 60 days. [/alert]

Related Tags:

letsencrypt-win-simple download,free ssl certificate for localhost iis,download win-acme v2 0.10 444 zip,let's encrypt for iis,win-acme wildcard,acmesharp,letsencrypt remote desktop gateway,letsencrypt adfs,get-pacertificate,set rdcertificate password,rds:gatewayserversslcertificatethumbprint,remote desktop gateway certificate powershell,letsencrypt-win-simple,let's encrypt microsoft iis,configure let's encrypt for iis,win-acme pluggable vs trimmed,certbot iis,win-acme exchange,letsencrypt windows server 2019 iis,certify the web alternative,buypass go ssl,certify the web pfx password,certify the web certificate location,certify the web dns validation,certify the web wildcard,letsencrypt win simple iis,letsencrypt windows server 2012,install let's encrypt in iis,acme-exchange ps1,certify the web,server essentials ssl certificate,remote web access ssl certificate,how to use certify the web,certify the web exchange 2016,download certify ssl,remote web access server 2016 standard,certifytheweb cost,download certify web,certify the web support,wincertes wildcard,letsencrypt windows iis,how to install a free ssl certificate using let's encrypt,win-acme tutorial,ssl for free,letsencrypt generate certificate