A simple ACMEv2 client for Windows (for use with Let's Encrypt et al.)

Microsoft Exchange

Choose the domains that you want to generate the certificate for. Note that Let’s Encrypt only issues certificates to public domains, that means no Active Directory server names or domain suffixes that are only known inside of your intranet can be used. You can specify a maximum of 100 domains in a certificate.

Assumptions made in this example:

  • We want to generate the certificate for three domains
  • will be the common name, hence we put it first
  • OWA is running in the Default Web Site of IIS with Site Id 1.
  • We want to enable the certificate for SMTP and IMAP


It’s not recommended to configure a certificate for Exchange in interactive mode, because the settings --acl-fullcontrol (essential for installation of some updates) is not accessible from the menu.


Important note for Hybrid Exchange configurations (synced to Office 365): you should use 0 instead of 1 in the --scriptparameters, which translates to the LeaveOldExchangeCerts input of the sample script. See this issue for more details.

  • Windows Certificate Store (default) wacs.exe --source manual --host,, --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

  • Central Certificate Store (load balancing etc.) wacs.exe --source manual --host,, --store centralssl,certificatestore --certificatestore My --acl-fullcontrol "network service,administrators" --centralsslstore "C:\Central SSL" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.v2.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"


To make sure all is working properly, I’d encourage you to use the Microsoft’s Remote Connectivity Analyzer. The Autodiscover and ActiveSync Autodiscover tests are really useful for testing this out. With Outlook 2016 requiring the use of Autodiscover to connect to Exchange, verifying that this works properly is an important step is making sure your environment is setup correctly.