Win-acme is an ACMEv2 client for Windows operating systems. You can use win-acme to request certificates from Certificate Enrollment Gateway using the ACMEv2 protocol.

To request a certificate using Win-acme

  1. Import your root CA certificate into the Windows trust store.

  2. Open a Command Prompt. Select Start > Windows System > Command Prompt.
  3. Navigate to the location where Win-acme is installed.

  4. Enter the following command:

    wacs.exe --baseuri <CEG-ACME-URL> --accepttos --target manual --host <hosts> --force

    Where:

    • <CEG-ACME-URL> is the ACMEv2 enrollment URL used to request a certificate from Certificate Enrollment Gateway. For details, see Enrollment URLs for Certificate Enrollment Gateway.
    • --accepttos will force Win-acme to automatically accept the ACMEv2 terms of service.
    • --source manual will use the manual plugin, allowing you to provide the host names for a certificate.
    • <hosts> is a comma-separate list of host names to include the in the certificate. The first host name listed will become the common name of the certificate. Subsequent host names will be added to the certificate as subjectAltName extensions only.
    • --force will force a renewal if a valid certificate already exists.

    For example:

    wacs.exe --baseuri https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/directory --accepttos --target manual --host www.example.com,example.com --force

  5. Win-acme connects to Certificate Enrollment Gateway, and prompts you to select a task:

    A simple Windows ACMEv2 client (WACS)
    Software version 2.1.17.1065 (release, pluggable, standalone, 64-bit)
    Connecting to https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/
    directory...
    Scheduled task not configured yet
    Please report issues at https://github.com/win-acme/win-acme
     
    N: Create certificate (default settings)
    M: Create certificate (full options)
    R: Run renewals (0 currently due)
    A: Manage renewals (0 total)
    O: More options...
    Q: Quit
     
    Please choose from the menu
  6. Enter N to create a new certificate with the default settings.

  7. Win-acme prompts you to provide one or email addresses to receive notifications about problems and abuse:

    Enter email(s) for notifications about problems and abuse (comma-separated):
  8. Enter an email address. Certificate Enrollment Gateway will not send email messages to this email address.
  9. Win-acme requests the certificate. If the certificate is successfully created, Win-acme installs the certificate and creates a scheduled task for renewing the certificate.