How Letsencrypt work for windows IIS?


My simple client now handles automatic renewals, so I’m calling this release 1.0.

Please check it out at


can you make this thing working without iis at all, like adding a small file (maybe simply seperated by | since that cannot be contained by files/folder names) to where the doamins and their webroots are listed like
then this thing wouldnt even need to run as admin and it would work for other servers as well.
in that mode it could put out a SAN for all and maybe making a line with a -|C:\xampp\htdocs|c:htdocs-secure

this would make 2 certs, one for example and secure and one for proteced
and if appending a second location (optional) itcould spit out the certs there, after validating that they work|c:\xampp\htdocs|c:\certs

for example.


Yes. I’m thinking of adding a command like that would go something like this:

letsencrypt -host c:\xampp\htdocs -host c:\htdocs-secure

Might even add a hook that will be called after renewal so you can re-apply them to wherever they’re used.


well I thought when I try to SAN 14 domains at once then a config file would be easier especially since it could also be made for multiple different certs depending on how it goes…


I got my letsencrypt beta access a few weeks ago, but was unable to use it until now because I was unable to determine how to get it to work in windows environments.
I just downloaded your client und set it up on my IIS and it works. Really great job!

I have 2 questions though:

Is it by design, that your webserver needs to be accessible via http from the internet to request / renew certificates or is it only required for the initial certificate request?

Is it possible to use this tool to request a SAN cert, for example if I’m using,,, (letsencrypt granted me access to request certs for given domains)?


Assuming you are referring to:

Yes you would have to have your web server accessible via HTTP for renews. (Last word from jsha was there was no validation period decided upon but should be expected to be about the same time as renewal).

SAN certificates are on the issue list and you can follow the progress here:


To add to what @molyfra said, there will most likely be a DNS-based challenge in the future, which should make it easier to get certificates for internal services.


@lonecoder - any plans to have a mode where I can specify the hosts? I use lighttpd on Windows, so I just need something to pull down the certs.


Hi Lonecoder,

It was indeed the part where my domain wasn’t whitelisted yet.



Just released a new version 1.4 over at

No SAN support yet, but the new build has a plugin system to make it easy to support additional server types.

Adding a new server type can be as easy as adding a subclass of the following to the project and implementing just two methods.

Also added a manual certificate mode that will get a cert and install it in the store and save it to disk for you. It’s not going to work well for renewals yet. I’m thinking of adding a system to run a batch file to run

I’d love to see server modules for lighttpd, apache, AWS, azure, etc.

Also improved the error handling in this build to dump errors that come back from the ACME server better.


What language is that? I at least never saw .cs files.


It’s C#. Project was created using the free community edition of Visual Studio that you can grab here:


I have try it. but it seem not normal work. my system windows 2012 R2.

only run to the line,and then it is close. Have you build an GUI softeware ?
Answer should now be browsable at
Submitting answer
Refreshing authorization


Hi LoneCoder, Great Code. One question though. Is it possible to use or tweak this for Apache server hosted on Windows or strictly IIS. If just IIS, is it then possible to get the certificate file created and add to the certificate store so same is usable on an Apache engine on IIS

Great work nonetheless. I am looking to try test out but may need to go offline on my Apache to configure IIS


Adding Apache support could be as easy as adding a class and implementing two methods. One that scans config and lists hostnames and another to install the cert with apache. Check the plugin folder for examples.

Manual mode can get a cert without IIS, but can’t really do automatic renewals for you.

Does it currently crash if IIS is not installed?


Yea, it crashes without IIS.
I however went ahead to install an IIS engine on a different port and then ran it again, but specified the path to the Apache point and it connected fine and generated the certificate but installed it into IIS.

For now I just exported it and then went ahead to use OpenSSL to convert to get the necessary pem and cer files for Apache. Kinda a long process but it worked. My thought is that a lot of people use Apache on Windows so in the end, I’ll hope someone looks at a direct way to help sort this.

Thumbs up all the same. You are a life saver.


The pem and “der” files are dumped to %appdata%\letsencrypt-win-simple\ for you. Are they usable from there?


Hi LoneCoder,

Thanks for the great tool. I met problems during the application of certificates. the 1st one is the port 80. Because my ISP blocked the port 80 for HTTP, I have to use port 443 for HTTPS for my websites. I got the information below:

Authorizing Identifier Using Challenge Type http-01
Writing challenge answer to
Writing web.config to add extensionless mime type to
Answer should now be browsable at

As I mentioned, duo to the blocked port 80, the is not browsable for my websites. I wonder whether there is a way to force the Challenge through port 443 rather than 80.

the 2nd issue is that my server is Windows 2012 R2 with IIS 8.5 and I don’t use the default webroot (%SystemDrive%\inetpub\wwwroot) for mywebsites (I use d:\website). It seems your software can not find my websites when scanning. I wonder whether there is any way to automatically scan the customized webroot.




Just as a follow up to this, I have been working on a new GUI tool called Certify which builds upon the ACMESharp project and provides a GUI for creating new certificate requests, renewing certificates and seeing more information about the certificates, sites etc you already have on a server. It’s not quite ready yet but I’ll be welcoming beta testers soon:

Feature requests are welcome.



Thats good news. I want to join this. how do it?