A simple ACMEv2 client for Windows (for use with Let's Encrypt et al.)

Microsoft Exchange

Choose the domains that you want to generate the certificate for. Note that Let’s Encrypt only issues certificates to public domains, that means no Active Directory server names or domain suffixes that are only known inside of your intranet can be used. You can specify a maximum of 100 domains in a certificate.

Assumptions made in this example:

  • We want to generate the certificate for three domains
  • will be the common name, hence we put it first
  • OWA is running in the Default Web Site of IIS with Site Id 1.
  • We want to enable the certificate for SMTP and IMAP


It’s not recommended to configure a certificate for Exchange in interactive mode, because some settings like --acl-fullcontrol (essential for installation of some updates) and --certificatestore My are not accessible from the menu. The latter can be configured in settings.json but the former not.


  • Windows Certificate Store (default) wacs.exe --target manual --host,, --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

  • Central Certificate Store (load balancing etc.) wacs.exe --target manual --host,, --store centralssl --centralsslstore "C:\Central SSL" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"


To make sure all is working properly, I’d encourage you to use the Microsoft’s Remote Connectivity Analyzer. The Autodiscover and ActiveSync Autodiscover tests are really useful for testing this out. With Outlook 2016 requiring the use of Autodiscover to connect to Exchange, verifying that this works properly is an important step is making sure your environment is setup correctly.