Win-acme is an ACMEv2 client for Windows operating systems. You can use win-acme to request certificates from Certificate Enrollment Gateway using the ACMEv2 protocol.

To request a certificate using Win-acme

  1. Import your root CA certificate into the Windows trust store.

  2. Open a Command Prompt. Select Start > Windows System > Command Prompt.
  3. Navigate to the location where Win-acme is installed.

  4. Enter the following command. Parameters in parentheses are required to create an account with an External Account Binding credential, but must not be specified when External Account Binding is disabled in Certificate Enrollment Gateway. Parameters in square brackets are optional parameters. 

    wacs.exe --baseuri <CEG-ACME-URL> --accepttos --source manual --host <hosts> --force (--eab-key-identifier <key-ID> --eab-key <HMAC-key> [--eab-algorithm <algorithm>])

    Where:

    • <CEG-ACME-URL> is the ACMEv2 enrollment URL used to request a certificate from Certificate Enrollment Gateway. For details, see Enrollment URLs for Certificate Enrollment Gateway.
    • --accepttos will force Win-acme to automatically accept the ACMEv2 terms of service.
    • --source manual will use the manual plugin, allowing you to provide the host names for a certificate.
    • <hosts> is a comma-separate list of host names to include the in the certificate. The first host name listed will become the common name of the certificate. Subsequent host names will be added to the certificate as subjectAltName extensions only.
    • --force will force a renewal if a valid certificate already exists.
    • <key-ID> is the Key ID of the External Account Binding credential.
    • <HMAC-key> is the HMAC key of the External Account Binding credential.
    • <algorithm> is the HMAC algorithm is the algorithm to use for External Account Binding. If not specified, it defaults to HS256. The algorithm must be permitted by the External Account Binding credential.
  5. Examples:
    wacs.exe --baseuri https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/directory --accepttos --source manual --host www.example.com,example.com --force
     
    wacs.exe --baseuri https://cegserver.example.com/acme/ceg/Agu-fwShl2jDXsMYe4Ti3w/0mj615kbbkkb/directory --accepttos --source manual --host www.example.com,example.com --force --eab-key-identifier Agu-fwShl2jDXsMYe4Ti3w --eab-key YWxCcVJKeG00cXZsc2x3OHZaNzNwRTdTX3hJeVh3dllTSXJxeFQ1Rngxcw

  6. Win-acme connects to Certificate Enrollment Gateway, and prompts you to select a task:

    A simple Windows ACMEv2 client (WACS)
    Software version 2.1.17.1065 (release, pluggable, standalone, 64-bit)
    Connecting to https://cegserver.example.com/acme/tenant1/example_ca1/privatessl_tls_client/
    directory...
    Scheduled task not configured yet
    Please report issues at https://github.com/win-acme/win-acme
     
    N: Create certificate (default settings)
    M: Create certificate (full options)
    R: Run renewals (0 currently due)
    A: Manage renewals (0 total)
    O: More options...
    Q: Quit
     
    Please choose from the menu
  7. Enter N to create a new certificate with the default settings.

  8. Win-acme prompts you to provide one or email addresses to receive notifications about problems and abuse:

    Enter email(s) for notifications about problems and abuse (comma-separated):
  9. Enter an email address. Certificate Enrollment Gateway will not send email messages to this email address.
  10. Win-acme requests the certificate. If the certificate is successfully created, Win-acme installs the certificate and creates a scheduled task for renewing the certificate.