This program is primarily used to create certificates, but the nature of ACME encourages certificates to be replaced regularly. We call a sequence of certificates, created with specific settings, a renewal. It’s the basic unit of work that you manage with the program.
N
uses the easiest defaults for
IIS users and the option M
offers full options, for example for Apache, Exchange, wildcard certificates, etc..json
files to the folder yourself, either manually or using some clever tooling or
scripting, to create a lighty coupled integration between your own management tools and win-acme.Many users mistakenly try to modify their renewal by issuing commands like --renew --webroot C:\NewRoot
hoping that the configured webroot for their renewal will be changed. The reason this doesn’t work is
because a renew cycle checks all renewals, each of which can use any of the hundreds of possible
combinations of plugins, so it’s complex to figure out what the
true intention of such a command should be. Therefore, modification and renewal are completely separate
functions.
Modifying a renewal is essential the same as re-creating it, either from the command line or the main menu. If it turns out that a newly configured certificate has the same friendly name as a previously created one, then the older settings will be overwritten. In interactive mode the user is asked to confirm this. In unattended mode the script or program calling win-acme is assumed to know the consequences of its actions.
To cancel a renewal means that the certificate will not be renewed anymore. The certificate, bindings and other configuration that is already in place will not be touched, so it’s completely safe to do this without disturbing your production applications. Only you will have to set up a new renewal or alternative certificate solution before the certificate reaches its natural expiration date.
.json
file from
disk and forget about it.--cancel [--friendlyname xxx|-id xxx]
.
The effects are the same as above..json
file yourself. The effects are the same as above.Revoking a certificate should only be done when the private key is believed to have been compromised,
not when simply replacing or cancelling it. Revocation can be done from the main menu with
(Manage renewals
> Revoke certificate
)
--revoke [--friendlyname xxx|-id xxx]
.
The effects are the same as above.Renewals are stored in the ConfigPath
which typically means %ProgramData%\win-acme\acme-v02.api.letsencrypt.org
,
though that can be changed in settings.json. Each file that fits the pattern
*.renewal.json
is considered to be a renewal.
The files are randomly named by the program, but you are free to rename them if that suits you. The only requirement
is that they must be unique, which is enforced by checking that the "Id"
field in the JSON must match with the
name of file. You can specify your own identifier at creation time with the --id
switch.
The renewal files consist of three parts:
.pfx
archive.