Stream

PKI

Sovereign Certificate Authority for enterprise-grade certificate issuance & management
Horizon

CLM

Certificate Lifecycle Management, discovery, governance & automation
Talk to an expert View all integrations

Use Cases

TLS Server Certificates

Secure web traffic at scale

Certificate Inventory

Discover and track all certificates

DevOps Certificates

Automate for CI/CD pipelines

Email Encryption

S/MIME for enterprise email
View all use cases

Industries

Banking & Finance

Public Sector

Healthcare

Energy & Utilities

Aerospace & Defense
View all industries

Compliance

NIS2 Directive

EU cybersecurity obligations

DORA

Digital operational resilience

eIDAS 2.0

Electronic identification & trust

GDPR

Data protection & privacy

Cyber Resilience Act

EU product security regulation
View all regulations
Talk to an expert

Learn

Guide

43 articles

In-depth PKI guides and tutorials

Glossary

50+ terms

PKI & cryptography terminology

Education Center

Videos and learning resources

Whitepapers

In-depth technical resources

Tools & Insights

Crypto Decoder

Free

Decode and validate certificates

Blog & Insights

Cybersecurity trends and analysis

Newsroom

Company news and updates

Events & Community

Webinars

Expert-led sessions on PKI

Events & Conferences

Meet us worldwide

Media Kit

Logos and brand assets
Contact Sales Explore all resources
Educational Resource

ACME Client on Windows

September 10, 2025
2 min read
Expert Content

Published on

September 10, 2025

Introduction

The ACME protocol is a network protocol designed to automate the process of domain validation, deliverance and renewal of X.509 certificates. The process is set up between an ACME server and an ACME client.

WinCertes is an ACMEv2 client designed for Windows. Based on the Certes library, WinCertes' purpose is to manage the automatic issuance and renewal of SSL certificates for IIS server but also other web servers able to run on a Windows Server.

Overview

WinCertes is a simple and efficient CLI-based client made to run on any Windows Server higher than Windows Server 2008 R2 SP1 (64 bits) and running .Net 4.6.1 or higher.

The client fully supports ACMEv2 including its latest feature, the support of wildcard certificates (*.exemple.com).

WinCertes eases certificate installation and renewal by automatically binding them to the appropriate web site on IIS and by creating a Scheduled Task that will check the expiration date of the certificates and trigger a renewal if necessary.

WinCertes offers the possibility to launch a PowerShell script upon the successful retrieval of a certificate. This feature enables advanced deployment on Exchange or multi-servers for instance.

Want to implement these PKI practices?

Get expert guidance on implementing secure PKI solutions for your organization.

Get Expert Help

The client supports two validation modes for validating the identity of the certificate requester:

  1. HTTP challenge validation

    • With the ability to support the running IIS web server or to use an embedded standalone web server for easier configuration.

  2. DNS challenge validation

    • Support for Windows DNS Server

    • Support for acme-dns

WinCertes was developed under the General Public License v3 (GPLv3).

Certificate Request

To request a certificate using WinCertes, the Windows command line (cmd.exe) must be run as Administrator.

Then WinCertes requires only a few parameters to request a certificate:

ParameterDescription-d [VALUE]The domain(s) to enroll.-wToggles the local web server use and sets its ROOT directory (default c:\inetpub\wwwroot). Activates HTTP validation mode.-b [VALUE]The name of the IIS web site to bind the certificate to.-pUsed to make WinCertes create a Scheduled Task to handle certificate renewal.

For instance:

WinCertes.exe -d test1.example.com -d test2.example.com -w -b "Default Web Site" -p

There are many more options to customize the requests to specific needs.

For more information, visit the official web page of WinCertes

Use case

By default, WinCertes will request a certificate using the Let's Encrypt CA but there are several use cases where one would prefer to request a certificate from another CA.

The following example is a more customized request where the request is made to an internal CA through a third party ACME proxy.

Was this helpful?
Back to Education Center

Table of Contents

Keep Learning

Get the latest educational content and PKI insights delivered to your inbox.

By subscribing you accept to receive our communications. You can unsubscribe at any moment.

Related Resources

Evertrust PQC

Are European enterprises ready for Post-Quantum Cryptography (PQC) migration? The gaps and the path forward

September 10, 2025
1 min

Explore why PQC adoption lags in Europe, the real blockers, and how to achieve quantum-safe security.

Read more
Evertrust PQC

NIST Releases New Post-Quantum Cryptography Standards

September 10, 2025
1 min

Discover NIST’s new Post-Quantum Cryptography standards (FIPS 203, 204, 205) and how Evertrust is preparing to integrate them for enhanced cybersecurity.

Read more
Evertrust ACME

ACME Clients on Linux

February 12, 2024
1 min

The ACME protocol is a network protocol designed to automate the process of domain validation, deliverance and renewal of X.509 certificates. The process is set up between an ACME server and an ACME client.

Read more
Get started

Ready to take back control over your certificates?

Talk to our experts and discover how Evertrust can help you implement best practices in PKI and certificate lifecycle management.

Talk to an expert