Using the connector

You can enroll and install a certificate on the IIS web server. The win-acme client automatically modifies your web server’s configuration to install a certificate and enable SSL.

Enroll a certificate

Make sure IIS is running and listening on port 80.
Open the IIS Administrator Console and select browse to open the default webpage.
Check the IIS bindings to ensure there’s no port 443 enabled already.
Run the Command Prompt as administrator.
Navigate to the directory that contains the win-acme client.

Execute the following command to auto-enroll certificates on IIS.

wacs.exe --baseuri https://acme.demo.sectigo.com --verbose --accepttos --emailaddress [email protected] --eab-key-identifier 646ed8e2112150afa64aea43be2c901e --eab-key YLVw7sj5cj5EurPd_DgoqkKOrjJJWUu7b9Xp6i_jKlTyc-PSpRn0woCVra-LrRUfiEAoV3rKFS4wZfqXh5nbaA

Select all the default options to auto-enroll certificates on IIS.

The following table describes the basic command-line options for the client. A complete list of win-acme options can be found in the documentation.

Option Description

Option	Description
`--baseuri`	The ACME server URL for DV/EV/OV SSL certificates. The default endpoint can be modified in the `settings.json` file.
`--verbose`	Prints additional log messages to console for troubleshooting and bug reports
`--accepttos`	Indicates that you agree to the Sectigo ACME terms of service
`--emailaddress`	The email address to use by ACME for renewal fail notices
`--eab-key-identifier`	The key ID for external account binding
`--eab-key`	The HMAC key for external account binding

--baseuri

The ACME server URL for DV/EV/OV SSL certificates. The default endpoint can be modified in the settings.json file.

--verbose

Prints additional log messages to console for troubleshooting and bug reports

--accepttos

Indicates that you agree to the Sectigo ACME terms of service

--emailaddress

The email address to use by ACME for renewal fail notices

--eab-key-identifier

The key ID for external account binding

--eab-key

The HMAC key for external account binding

Enable auto-renewal

The win-acme client automatically adds a renewal script to the Task Scheduler on Windows during the certificate enrollment. It will invoke the client on a schedule to check the certificate expiry status and renew the certificate automatically during the renewal period.

The win-acme task is scheduled to run every day at 9:00 AM by default. For more information on certificate management and custom configuration, see Automatic renewal.

Verify the enrollment of certificates on the IIS server

Navigate to IIS Console Default Website Bindings to confirm the HTTPS site binding was added automatically to secure connections.
Open a browser and enter your website address.

Verify that the webpage opens with a lock icon in the address bar which confirms that SSL is enabled for this website.
Click View Certificates to view the certificate chain.
The website is protected using SSL/TLS certificate received from Sectigo ACME service.
The certificates are stored at the following location.
```
C:\ProgramData\win-acme\acme.demo.sectigo.com
```