Win-ACME (formerly known as WACS) is a free, open-source tool for Windows that automatically gets and renews SSL certificates for your websites and servers. Instead of manually buying and installing certificates every year, Win-ACME handles the whole process for you — including creating the necessary DNS records, downloading the certificate, and even installing it into IIS (Windows web server).

Think of it like a personal assistant for your SSL certificates — it requests them, proves you own the domain, and keeps them fresh automatically.

Before installing Win-ACME, make sure you have all of the following ready. Think of this as your checklist before you start cooking — gather all your ingredients first!

Your computer or server must be running one of the following:

• Windows Server 2012 R2 or newer (Server 2016, 2019, 2022 are all fine)
• Windows 8.1 or newer (Windows 10, Windows 11 also work)

.NET Framework is a software platform made by Microsoft that Win-ACME needs to run. Think of it like a required app on your phone before another app can work.

Good news: If you are using Windows 10 version 1803 or newer, .NET Framework is already included. If you are on an older system, you may need to install it.

To check if you already have it, open PowerShell as Administrator and run this command:

(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full").Release -ge 461808

# If this shows: True  -->  You are good to go!
# If this shows: False -->  You need to install .NET Framework 4.8

If the result says False, install .NET Framework 4.8 using this command (it will open the download page in your browser):

Start-Process "https://go.microsoft.com/fwlink/?LinkId=2085155"

# Download and run the installer, then restart your computer

You must be logged in as an Administrator (or run PowerShell as Administrator). This is required to install software and create system-level scheduled tasks.

Win-ACME proves you own your domain by automatically creating a special DNS record. To do this, it needs permission to make changes to your DNS settings. For Cloudflare users, this is done through an API Token.

Don't worry — you don't need to create this now. We'll walk you through it step by step in a later section.

EAB stands for External Account Binding. These are two special codes (a Key Identifier and a Key) that link your Win-ACME installation to your organisation's ACME certificate server. You get these from your IT administrator or the team that manages your ACME server.

Now that everything is in place, let's install Win-ACME. You have two options — manual (do it yourself) or automated (let PowerShell do it).

First, create a folder where Win-ACME will live on your computer. Open PowerShell as Administrator and run:

New-Item -ItemType Directory -Path "C:\Tools\win-acme" -Force

# This creates the folder C:\Tools\win-acme

• Open your web browser and visit: https://github.com/win-acme/win-acme/releases/latest
• Look for a file named something like: win-acme.v2.x.x.xxxx.x64.pluggable.zip
• Click on it to download the ZIP file
• Once downloaded, extract (unzip) its contents into the C:\Tools\win-acme folder

If you prefer, PowerShell can download and extract Win-ACME for you in one go. Run this in your Administrator PowerShell window:

$installPath = "C:\Tools\win-acme"

New-Item -ItemType Directory -Path $installPath -Force

# Find and download the latest version automatically
$latestRelease = Invoke-RestMethod -Uri "https://api.github.com/repos/win-acme/win-acme/releases/latest"

$downloadUrl = $latestRelease.assets | Where-Object { $_.name -like "*pluggable.zip" } | Select-Object -ExpandProperty browser_download_url

Write-Host "Downloading Win-ACME from: $downloadUrl"

$zipPath = "$env:TEMP\win-acme.zip"

Invoke-WebRequest -Uri $downloadUrl -OutFile $zipPath

# Extract the ZIP file
Expand-Archive -Path $zipPath -DestinationPath $installPath -Force

Remove-Item $zipPath

Write-Host "Win-ACME installed at: $installPath"

Let's make sure Win-ACME installed correctly. Run these commands:

cd C:\Tools\win-acme

.\wacs.exe --version

If everything worked, you should see something like:

Win-ACME version 2.x.x.x (RELEASE)

Now we need to tell Win-ACME how to connect to your ACME certificate server and your DNS provider. We'll store this information in a secure configuration file so it can be used automatically.

This folder will hold your settings securely. Run this command:

New-Item -ItemType Directory -Path "C:\ProgramData\win-acme-config" -Force

Next, we create a text file that stores all the important settings in one place. This includes your ACME server address, your login credentials (EAB keys), your email address, your Cloudflare API token, and where to save your certificates.

Copy and paste this command into PowerShell. Replace each XXXX... placeholder with your actual values:

@"
# ACME Server Configuration
ACME_SERVER=https://acme.example.com/acme/directory
EAB_KEY_IDENTIFIER=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EAB_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EMAIL=admin@example.com

# Cloudflare API Token (or other DNS provider)
CF_API_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# Certificate Storage
CERT_PATH=C:\ssl-certs
"@ | Out-File -FilePath "C:\ProgramData\win-acme-config\acme-credentials.txt" -Encoding UTF8

Since this file contains sensitive information (like API tokens and keys), we need to make sure only administrators can read it. Run this to lock down the permissions:

$acl = Get-Acl "C:\ProgramData\win-acme-config"

$acl.SetAccessRuleProtection($true, $false)

$adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "BUILTIN\Administrators", "FullControl",
    "ContainerInherit,ObjectInherit", "None", "Allow")

$acl.SetAccessRule($adminRule)

Set-Acl "C:\ProgramData\win-acme-config" $acl

Write-Host "Permissions secured!"

When you need to use Win-ACME, run this command first to load your settings into the current session. Think of this like logging in — it makes your credentials available for use:

$config = Get-Content "C:\ProgramData\win-acme-config\acme-credentials.txt" | ConvertFrom-StringData

$env:ACME_SERVER         = $config.ACME_SERVER
$env:EAB_KEY_IDENTIFIER  = $config.EAB_KEY_IDENTIFIER
$env:EAB_KEY             = $config.EAB_KEY
$env:EMAIL               = $config.EMAIL
$env:CF_API_TOKEN        = $config.CF_API_TOKEN
$env:CERT_PATH           = $config.CERT_PATH

Write-Host "Credentials loaded successfully!"

This is where Win-ACME will save the SSL certificates it downloads. Think of it as a secure filing cabinet for your certificates.

New-Item -ItemType Directory -Path "C:\ssl-certs" -Force

If you are using IIS (Internet Information Services — Windows' built-in web server), it needs permission to read the certificates from this folder. Run this to grant access:

$acl = Get-Acl "C:\ssl-certs"

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "BUILTIN\IIS_IUSRS", "ReadAndExecute",
    "ContainerInherit,ObjectInherit", "None", "Allow")

$acl.AddAccessRule($rule)

Set-Acl "C:\ssl-certs" $acl

Write-Host "IIS permissions configured!"

Win-ACME needs to temporarily create a DNS record to prove to the certificate authority that you own your domain. This is done automatically — but it needs your API credentials to make changes to your DNS settings.

If your domain's DNS is managed through Cloudflare, follow these steps to create an API Token:

1. Open your browser and go to: https://dash.cloudflare.com
2. Log in to your Cloudflare account
3. Click on your profile icon (top right) and select My Profile
4. In the left menu, click API Tokens
5. Click the Create Token button
6. Choose the Edit zone DNS template
7. Under Permissions, make sure it says: Zone / DNS / Edit
8. Under Zone Resources, select: Include ? Specific zone ? [choose your domain]
9. Click Continue to summary, then Create Token
10. IMPORTANT: Copy the token immediately — Cloudflare will only show it once!
11. Paste this token as the CF_API_TOKEN value in your credentials file

Before proceeding, let's confirm your API token works correctly:

$token = "YOUR_CLOUDFLARE_TOKEN_HERE"

$headers = @{ "Authorization" = "Bearer $token" }

$response = Invoke-RestMethod -Uri "https://api.cloudflare.com/client/v4/user/tokens/verify" -Headers $headers

$response.result.status

# Should show: active

Win-ACME supports over 20 DNS providers. Here is a quick overview of what each requires:

For a full list of supported DNS providers, visit: https://www.win-acme.com/reference/plugins/validation/

Before you start issuing certificates, let's run a few quick checks to make sure everything is set up correctly. This is like a final pre-flight checklist before takeoff.

cd C:\Tools\win-acme

.\wacs.exe --version

# Expected result: Win-ACME version 2.x.x.x (RELEASE)

Run this to see your settings are correctly saved in the credentials file:

$config = Get-Content "C:\ProgramData\win-acme-config\acme-credentials.txt" | ConvertFrom-StringData

Write-Host "ACME Server : $($config.ACME_SERVER)"
Write-Host "Email       : $($config.EMAIL)"
Write-Host "Cert Path   : $($config.CERT_PATH)"

You should see your ACME server URL, email address, and certificate path printed on screen.

Verify that your Cloudflare API token can connect successfully:

$config = Get-Content "C:\ProgramData\win-acme-config\acme-credentials.txt" | ConvertFrom-StringData

$headers = @{ "Authorization" = "Bearer $($config.CF_API_TOKEN)" }

Invoke-RestMethod -Uri "https://api.cloudflare.com/client/v4/user/tokens/verify" -Headers $headers

# Status should show: active

Finally, make sure your server can reach the ACME certificate server:

$config = Get-Content "C:\ProgramData\win-acme-config\acme-credentials.txt" | ConvertFrom-StringData

Invoke-RestMethod -Uri $config.ACME_SERVER

# Should return a JSON response with newAccount, newOrder, etc.

A successful response looks like this:

{
  "keyChange":  "https://acme.example.com/acme/key-change",
  "newAccount": "https://acme.example.com/acme/new-account",
  "newNonce":   "https://acme.example.com/acme/new-nonce",
  "newOrder":   "https://acme.example.com/acme/new-order",
  "revokeCert": "https://acme.example.com/acme/revoke-cert",
  "meta": { "externalAccountRequired": true }
}

Use this checklist to confirm every step has been completed:

Something not working? Don't panic — here are the most common issues and exactly how to fix them.

Congratulations — Win-ACME is now fully installed and configured on your system! Here's a quick summary of what you've accomplished:

• Installed Win-ACME and confirmed it runs correctly
• Created a secure credentials file with your ACME server details
• Configured your DNS provider (Cloudflare or other) for automatic verification
• Set up certificate storage with the right permissions
• Verified all connections are working

Your next step is to issue your first SSL certificate. This is covered in the Deployment Guide (DEPLOYMENT_GUIDE.md), which walks you through:

1. Requesting and issuing your first certificate
2. Installing it automatically into IIS
3. Setting up automatic renewal so certificates never expire
4. Monitoring and maintaining your certificates over time

• Win-ACME Official Documentation: https://www.win-acme.com/
• GitHub Repository (source code & issues): https://github.com/win-acme/win-acme
• DNS Validation Plugins List: https://www.win-acme.com/reference/plugins/validation/
• Installation Plugins: https://www.win-acme.com/reference/plugins/installation/

If you need help or run into an issue not covered in this guide, contact your ACME server administrator for support.