Where to find certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: blog.javasqlweb.org

I ran this command: wacs.exe

It produced this output: certificate created successfully after dns validation

My web server is (include version): apache

The operating system my web server runs on is (include version): windows

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): aws route 53

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

hi there community. I created a certificate successfully . Where can I find it so i can download it and install manually?


Hard to say, because win-acme has many different options/plugins. So we need to know how you got your certificate, i.e. what options within win-acme you’ve used.

I used a wacs client and entered the following commands

Please choose from the menu: N

Running in mode: Interactive, Simple
Target plugin IIS not available: No supported version of IIS detected.

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the “all bindings”
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: Read site bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?: 2

Enter comma-separated list of host names, starting with the common name: blog.javasqlweb.org

Target generated using plugin Manual: blog.javasqlweb.org
Validation plugin SelfHosting not available: Run as administrator to allow use of the built-in web listener.

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup and for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/win-acme/win-acme/.

1: [http-01] Save verification files on (network) path
2: [http-01] Serve verification files from memory
3: [http-01] Upload verification files via FTP(S)
4: [http-01] Upload verification files via SSH-FTP
5: [http-01] Upload verification files via WebDav
6: [dns-01] Create verification records manually (auto-renew not possible)
7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns-01] Create verification records with your own script
9: [tls-alpn-01] Answer TLS verification request from win-acme
C: Abort

How would you like prove ownership for the domain(s)?: 6

Store plugin CertificateStore not available: Run as administrator to allow certificate store access.

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store
5: No (additional) store steps

How would you like to store the certificate?: 5

Installation plugin IIS not available: No supported version of IIS detected.

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Which installation step should run first?: 4

Terms of service: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.2-November-15-2017.pdf

Open in default application? (y/n*) - yes

Do you agree with the terms? (y*/n) - yes

Enter email(s) for notifications about problems and abuse (comma seperated): rickdelpo@gmail.com

[blog.javasqlweb.org] Authorizing…
[blog.javasqlweb.org] Authorizing using dns-01 validation (Manual)

Domain: blog.javasqlweb.org
Record: _acme-challenge.blog.javasqlweb.org
Type: TXT
Content: “gav5IlUGJ48nMKvlrynYjkreeb4GB4nGw1EW8s10R8A”
Note: Some DNS managers add quotes automatically. A single set
is needed.

Please press after you’ve created and verified the record

[blog.javasqlweb.org] Preliminary validation failed: no TXT records found

The correct record is not yet found by the local resolver. Check your configuration and/or wait for the name servers to synchronize and press to try again. Answer ‘N’ to try ACME validation anyway. (y*/n) - no

[blog.javasqlweb.org] Error preparing for challenge answer

Create certificate failed, retry? (y/n*) - yes

First chance error calling into ACME server, retrying with new nonce…
[blog.javasqlweb.org] Authorizing…
[blog.javasqlweb.org] Authorizing using dns-01 validation (Manual)

Domain: blog.javasqlweb.org
Record: _acme-challenge.blog.javasqlweb.org
Type: TXT
Content: “gav5IlUGJ48nMKvlrynYjkreeb4GB4nGw1EW8s10R8A”
Note: Some DNS managers add quotes automatically. A single set
is needed.

Please press after you’ve created and verified the record

[blog.javasqlweb.org] Preliminary validation succeeded
[blog.javasqlweb.org] Preliminary validation succeeded
[blog.javasqlweb.org] Authorization result: valid

Domain: blog.javasqlweb.org
Record: _acme-challenge.blog.javasqlweb.org
Type: TXT
Content: “gav5IlUGJ48nMKvlrynYjkreeb4GB4nGw1EW8s10R8A”

Please press after you’ve deleted the record

Requesting certificate [Manual] blog.javasqlweb.org
Store with None…
Installing with None…
Adding Task Scheduler entry with the following settings

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options…
Q: Quit

You didn’t use a “Store plugin”. Please read the official win-acme (the name for wacs.exe) documentation for store plugins:

Store plugins are responsible for storing issued certificates in their permanent location(s). The program will cache the certificate in a .pfx file in its CertificatePath (which defaults to %programdata%\win-acme\[baseuri]certificates ) but these files are protected by random passwords to prevent local non-administrators from obtaining keys. Store plugins are responsible for making the certificates accessible to the application(s) that need them.

No idea what that “(…) protected by random passwords to prevent local non-administrators from obtaining keys.” means though.

ok thanks, I did not know how to use the script functionality of the store and also the default windows certificate store option is greyed out …it appears i need to run as administrator but then not sure about path to windows store. Should I rerun the request or is there some other way to retrieve the existing cert?

You’ll have more options as Administrator, but I don’t use Windows, so no idea what to do then.

As mentioned before, your certificate is cached. But I have no idea how to retrieve it. The documentation hints that it’s secured for non-administrator users. So I assume you’d be able to retrieve your certificate from that cache folder as administrator.

ok, thanks again.

is there someone in ur community who can tell me how to set the path for a windows store? Is it a public path?

Does wacs.exe ask you for a path?

Also, you might want to try to search the web yourself first before asking others in my personal opinion. A simple search with “windows personal certificate store” lead me to this Microsoft documentation: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores

what I need are the PEM files


Designed for Apache, nginx and other web servers. Exports a .pem file for the certificate and private key and places them in the path provided by the --pemfilespath parameter, or the Store.PemFiles.DefaultPath setting in settings.json.

so I went into settings.json and found the following

“Store”: {
“DefaultStore”: null,
“CertificateStore”: {
“DefaultStore”: null
“CentralSsl”: {
“DefaultPath”: null,
“DefaultPassword”: null
“PemFiles”: {
“DefaultPath”: null
“PfxFile”: {
“DefaultPath”: null,
“DefaultPassword”: null
“Installation”: {
“DefaultInstallation”: null

I obviously did not configure a store which is why I am in this jam

Can someone guid me on how to set up the correct paths to a store?


do I use this path?

C:\Users\rickd\Downloads\win-acme.v2.1.10.896.x64.pluggable\settings.json ??

this is my local path where win-acme is located. After I set this up correctly will the system download my cert to this path??

You should be able to select “2” here in stead of “5”. If it’s greyed out, perhaps you’d need to run as administrator. It doesn’t really matter what the path is, as long as you can remember what path you used and as long as the user running wacs.exe has write permissions to it.

thanks for ur help. Since I did not correctly configure a store I would like to start over again. How do I revoke my cert ?

Has your private key been stolen or otherwise compromsied? No? Then there’s no need to revoke it.

Hi all, I created a cert using wacs.exe but I wrongly configured the store so I was unable to obtain my cert. After playing around with wacs I decided to create a second cert which i did successfully and I have the store configured properly and I can see my cert.

Because I mis configed the original cert I would like to start over by revoking but do not know how to do.

please advise on how to revoke a cert, thanks

1 Like

Is the private key compromised?

No? Then there is no need to revoke. Let it go.

1 Like

since i made mistakes in my original config can i edit the existing config? I need to be able to go back thru all the steps because i forgot to include a store path, thanks

1 Like

Probably. You need to read your acme client’s documentation. I don’t know how win-acme works.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.