Set up automatic TLS certificates for your Windows Server using Infisical and win-acme. Win-acme offers excellent integration with IIS and Windows Certificate Store.Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
This guide assumes you have an Application with ACME enrollment configured.
Prerequisites
- A Windows Server instance with administrative access
- An Application in Infisical with ACME enrollment configured
- Network connectivity from your Windows Server to Infisical
Guide
Get ACME Credentials from Infisical
In your Application, go to the Settings tab and find the Certificate Profiles section. Click Configure on the profile with ACME enrollment, then click Reveal ACME EAB to view the credentials:
| Credential | Purpose |
|---|---|
| ACME Directory URL | The URL win-acme uses to communicate with Infisical |
| EAB Key Identifier (KID) | Identifies your ACME account |
| EAB Secret | Authenticates your ACME client |
Keep your EAB credentials secure. They authenticate your ACME client with Infisical and are unique to each enrollment.
Install win-acme
Install win-acme on your Windows Server using one of the following methods.
- Download from GitHub
- .NET Tool (Global Install)
- Visit the win-acme releases page.
- Download the latest stable release ZIP file.
- Extract the contents to a folder (e.g.,
C:\win-acme). - Open Command Prompt or PowerShell as Administrator.
- Navigate to the win-acme folder.
Request Certificate Using Command Line
Run the following win-acme command to request a certificate from Infisical:For guidance on each parameter:
--target manual: Specifies manual target configuration for domain specification.--host: The domain name for which the certificate is being requested.--baseuri: The Infisical ACME directory URL from Step 1. This instructs win-acme to communicate with Infisical’s ACME server instead of other ACME providers.--eab-key-identifier: Your External Account Binding (EAB) Key Identifier from Step 1.--eab-key: The EAB secret associated with the KID from Step 1.--validation selfhosting: Uses self-hosting validation method to solve the HTTP-01 challenge.--store pemfiles: Stores certificates as PEM files in a specified directory.--pemfilespath: Directory where certificates will be saved on your Windows Server.--verbose: Enables detailed logging for troubleshooting and monitoring the certificate request process.
Replace the placeholder values with your actual configuration:
example.infisical.com: Your actual domain namehttps://your-infisical-instance.com/api/v1/cert-manager/acme/applications/{application-id}/profiles/{profile-id}/directory: Your Infisical ACME endpoint from Step 1your-eab-key-identifierandyour-eab-secret: Your External Account Binding credentials from Step 1C:\certificates: Your desired certificate storage location
Alternative Storage Options
Win-acme supports various certificate storage options beyond PEM files. Here are common alternatives for different deployment scenarios:
- Windows Certificate Store
- PFX Files
- IIS Central SSL
Store certificates directly in the Windows Certificate Store for integration with IIS and other Windows services:
Configure Automatic Renewal
Win-acme can automatically create a Windows Scheduled Task for certificate renewal. Because win-acme stores the ACME server URL and EAB credentials from your initial request, renewal will automatically use the same Infisical ACME configuration—no additional settings are required.Option 1: Enable during initial certificate requestInclude the Option 2: Test manual renewalYou can test the renewal process manually before setting up automation to ensure the configuration works correctly:This command simulates the full renewal process and verifies that win-acme can successfully contact Infisical and renew your certificate using the stored configuration.Option 3: Verify scheduled task creationCheck that the scheduled task was created successfully:The automatic renewal task will:
--setuptaskscheduler parameter in your initial command to automatically create the renewal task:- Run under the SYSTEM account for elevated privileges.
- Check certificates daily for renewal eligibility.
- Automatically renew certificates that are within the renewal threshold (typically 30 days before expiration).
- Log renewal activities to Windows Event Viewer and win-acme log files for monitoring and troubleshooting.
Win-acme stores renewal configurations automatically in its settings directory, so once a certificate is created, the renewal process will use the same parameters (ACME endpoint, EAB credentials, storage options) for future renewals. The renewal threshold can be adjusted in the win-acme configuration files if needed.
Verify Certificate Installation
After successful certificate issuance, verify that the certificate files have been created correctly based on your chosen storage method.
- PEM Files
- Windows Certificate Store
Check your specified PEM files directory to ensure all certificate components are present:You should see files like:
-
example.infisical.com-crt.pem(certificate) -
example.infisical.com-key.pem(private key) -
example.infisical.com-chain.pem(complete certificate chain) -
example.infisical.com-chain-only.pem(only certificate chain)
What’s Next?
Nginx with Certbot
Set up ACME for Linux web servers.
Certificate Syncs
Push certificates to cloud destinations.
Alerting
Get notified when certificates are about to expire.
ACME Enrollment
Learn more about ACME enrollment configuration.