How to Create Let’s Encrypt SSL Certificate on Windows (Step-by-Step Guide)

Complete beginner-friendly guide to generate and install a free SSL certificate on Windows server

If you’re running a website on Windows Server, securing it with HTTPS is no longer optional. Modern browsers flag unsecured websites as “Not Secure,” which can scare visitors away and negatively affect SEO rankings.

The good news? You can create an SSL certificate for free using Let’s Encrypt — and install it on your Windows Server in just a few steps.

In this detailed beginner-friendly guide, you’ll learn how to:

• Create SSL certificate Let’s Encrypt on Windows

• Use Let’s Encrypt on Windows Server

• Install SSL certificate on Windows Server

• Use Win-ACME (recommended ACME client for Windows)

• Automatically renew your free SSL certificate

Let’s get started.

---

What Is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open certificate authority (CA) provided by the Internet Security Research Group (ISRG). It allows you to generate trusted SSL/TLS certificates at no cost.

Unlike traditional SSL providers, Let’s Encrypt certificates:

• Are completely free

• Can be automated

• Renew automatically every 90 days

• Are trusted by all major browsers

It’s widely used by hosting providers and system administrators worldwide.

You may also like: Let’s Encrypt vs Paid SSL: Which One is Right for Your Website?

---

Why Use Let’s Encrypt on Windows Server?

If your website runs on Windows Server with IIS (Internet Information Services), you’ll need an ACME client compatible with Windows.

That’s where Win-ACME comes in.

Win-ACME (also known as WACS) is a popular Windows ACME client designed specifically to request and install Let’s Encrypt certificates on IIS automatically.

Benefits of using Win-ACME:

• Fully compatible with IIS

• Automatic certificate installation

• Auto-renewal support

• Simple command-line wizard

• Free and open-source

Do not miss- How to Create a .pfx/.p12 Certificate File Using OpenSSL

---

Prerequisites Before You Begin

Before you create SSL certificate Let’s Encrypt on Windows, make sure:

1. Your website is already hosted on Windows Server

2. IIS is installed and running

3. Your domain name points to your server’s public IP

4. Port 80 (HTTP) is open in firewall

5. You have administrator access to the server

Without these, the certificate validation will fail.

---

Step-by-Step Guide: Create Let’s Encrypt SSL Certificate on Windows

Now let’s walk through the complete process.

---

Step 1: Download Win-ACME (Let’s Encrypt Windows Client)

1. Visit the official Win-ACME GitHub page.

2. Download the latest stable release ZIP file.

3. Extract it to a folder like:

C:\win-acme\

No installation is required — it runs directly from the folder.

---

Step 2: Run Win-ACME as Administrator

1. Open the extracted folder.

2. Right-click wacs.exe

3. Select Run as Administrator

You’ll see a command-line interface open with multiple options.

---

Step 3: Create SSL Certificate Using IIS (Recommended Method)

When prompted, choose:

N (Create new certificate)

Then select:

1 (Single binding of an IIS site)

Win-ACME will automatically detect IIS websites hosted on your server.

Select Your Website

• Choose the number corresponding to your domain.

• Confirm the domain name.

• Press Enter to continue.

Win-ACME will now:

• Perform domain validation

• Contact Let’s Encrypt servers

• Generate the certificate

• Install it automatically in IIS

If everything is configured correctly, you’ll see:

Certificate created successfully!

Congratulations — your free SSL Windows Server setup is complete.

You may also like - Extract PEM/CRT and KEY from PFX: Best Guide

---

Step 4: Verify SSL Installation

To confirm:

1. Open a browser

2. Visit:

https://yourdomain.com

You should see:

• A padlock icon

• No “Not Secure” warning

• HTTPS working properly

You can also test your SSL using online SSL checker tools.

---

How Let’s Encrypt Validation Works

Let’s Encrypt verifies domain ownership before issuing a certificate.

With IIS method, Win-ACME uses:

HTTP-01 challenge

This means:

• It places a validation file in your website folder

• Let’s Encrypt server checks it via port 80

• If accessible, certificate is issued

That’s why port 80 must be open.

You should also see this article for more troubleshooting with these steps - 

Create a Let’s Encrypt SSL Certificate on Windows

---

Automatic SSL Renewal (Very Important)

Let’s Encrypt certificates expire every 90 days.

But don’t worry — Win-ACME automatically creates a scheduled task in Windows Task Scheduler.

To check:

1. Open Task Scheduler

2. Look for “win-acme renew task”

It runs daily and renews your certificate automatically before expiration.

No manual action required.

---

Alternative: Manual DNS Validation (Advanced Users)

If port 80 is blocked, you can use DNS validation instead.

Choose:

M (More options)

Then select DNS challenge.

This method:

• Requires access to DNS provider

• Requires manual TXT record entry

• Works even if port 80 is closed

This method is ideal for:

• Internal servers

• Cloud environments

• Servers behind strict firewalls

---

How to Install SSL Certificate Manually in IIS (If Needed)

If automatic installation fails, follow these steps:

Step 1: Open IIS Manager

1. Press Windows + R

2. Type inetmgr

3. Press Enter

Step 2: Bind HTTPS

1. Select your website

2. Click Bindings

3. Click Add

4. Choose:

   • Type: HTTPS

   • Port: 443

   • Select your certificate from dropdown

5. Click OK

Now HTTPS is manually configured.

---

Troubleshooting Common Issues

Here are some common problems when using Let’s Encrypt Windows:

---

Issue 1: Validation Failed

Reason: Port 80 blocked
Solution: Open port 80 in:

• Windows Firewall

• Hosting firewall

• Router firewall

---

Issue 2: Domain Not Pointing to Server

Reason: DNS not updated
Solution: Ensure your domain A record points to correct IP.

---

Issue 3: IIS Not Detected

Reason: Website not properly configured
Solution: Make sure site exists in IIS with correct binding.

---

Security Best Practices After Installing SSL

After installing SSL certificate on Windows:

1. Force HTTPS Redirect

Add URL Rewrite rule in IIS to redirect HTTP to HTTPS.

2. Disable Weak Protocols

Disable SSL 3.0 and old TLS versions.

3. Enable HSTS

Add HTTP Strict Transport Security header.

These steps improve security and SEO rankings.

---

Benefits of Free SSL on Windows Server

Using Let’s Encrypt offers:

• Zero cost SSL

• Improved SEO rankings

• Secure data encryption

• Increased user trust

• Automatic renewals

• No licensing fees

For small businesses, bloggers, and startups, this is the perfect solution.

---

Frequently Asked Questions (FAQ)

Is Let’s Encrypt really free?

Yes, completely free forever.

---

Is it safe to use?

Yes. It’s trusted by all major browsers and widely used worldwide.

---

Does it work with Windows Server 2016/2019/2022?

Yes, Win-ACME supports modern Windows Server versions.

---

What happens after 90 days?

The certificate auto-renews via scheduled task.

---

Can I use it for multiple domains?

Yes. You can create multiple certificates for different domains or use SAN certificates.

---

Final Thoughts

Setting up HTTPS on Windows Server is no longer complicated or expensive. With Let’s Encrypt and Win-ACME, you can create SSL certificate Let’s Encrypt on Windows in just minutes.

To summarize:

1. Download Win-ACME

2. Run as administrator

3. Select IIS site

4. Let it generate and install automatically

5. Confirm HTTPS

6. Ensure auto-renewal works

That’s it!

Your website is now secure, SEO-friendly, and trusted by browsers — without paying a single dollar for SSL.



You may also like - 

Generate Let’s Encrypt SSL Certificate on Windows 11 – Full Setup Guide

Learn how to configure Let’s Encrypt SSL on Windows 11 using Win-ACME and IIS.

Securing your website with HTTPS is no longer optional—it’s a necessity. Whether you’re hosting a personal blog, business site, or development project, installing an SSL certificate ensures encrypted communication between your server and visitors.

If you're running a web server on Windows, this guide will show you how to generate SSL certificate Let’s Encrypt Windows 11, configure it properly, and automate renewals using Win-ACME and IIS.

You may check my older article, right? - if not learn, How to Create Let’s Encrypt SSL Certificate on Windows (Step-by-Step Guide)
By the end of this tutorial, you’ll have a fully functional free HTTPS Windows setup.

---

Why Use Let’s Encrypt on Windows 11?

Let's Encrypt is a free, automated, and open certificate authority (CA) that provides SSL/TLS certificates at no cost. It’s trusted by all major browsers and widely adopted worldwide.

Benefits include:

• 100% Free SSL certificates

• Automated issuance and renewal

• Trusted by browsers

• Secure HTTPS support

• Easy setup with tools like Win-ACME

For developers and small businesses running IIS on Windows 11, this is the easiest and most cost-effective solution.

---

Prerequisites Before You Start

Before you begin the Let’s Encrypt Windows 11 setup, make sure you have:

1. Windows 11 installed

2. IIS (Internet Information Services) enabled

3. A registered domain name pointing to your public IP

4. Port 80 (HTTP) open in firewall/router

5. Administrator access to your PC

---

Step 1: Install IIS on Windows 11

If IIS is not already installed:

1. Press Win + R, type appwiz.cpl, and press Enter.

2. Click Turn Windows features on or off

3. Enable:

   • Internet Information Services

   • IIS Management Console

   • World Wide Web Services

4. Click OK and wait for installation.

After installation:

• Open browser

• Visit http://localhost

• You should see the IIS welcome page

Now IIS is ready for SSL for IIS configuration.

---

Step 2: Download Win-ACME Client

To request certificates from Let’s Encrypt on Windows, you’ll use:

Win-ACME

Win-ACME (WACS) is an ACME client built specifically for Windows servers. It automates certificate issuance and renewal.

Download Steps:

1. Visit the official Win-ACME GitHub page

2. Download the latest stable release ZIP

3. Extract it to a folder like:

C:\win-acme

---

Step 3: Run Win-ACME to Generate SSL Certificate

Now comes the important part — generating the certificate.

1. Open Command Prompt as Administrator

2. Navigate to:

cd C:\win-acme

3. Run:

wacs.exe

You’ll see a menu like:

N: Create certificate (default settings)
M: Create certificate (full options)

Choose:

N

Win-ACME will:

• Detect IIS sites automatically

• List all hosted domains

• Ask which site you want to secure

Select your domain from the list.

---

Step 4: Domain Validation (HTTP-01 Challenge)

Let’s Encrypt verifies domain ownership using HTTP validation.

Win-ACME will:

• Create temporary validation files

• Place them in your IIS web root

• Let Let’s Encrypt verify your server

If your domain is correctly pointed and port 80 is open, validation will succeed automatically.

After verification, the certificate is issued instantly.

---

Step 5: Automatic SSL Installation for IIS

One of the best parts of Win-ACME Windows setup is that it automatically:

• Installs certificate in Windows Certificate Store

• Binds HTTPS to your IIS site

• Configures port 443

• Sets correct SSL binding

To confirm:

1. Open IIS Manager

2. Select your website

3. Click Bindings

4. You should see:

Type: https
Port: 443
Certificate: Your Domain

Now your site should load securely:

https://yourdomain.com

---

Step 6: Force HTTPS Redirection

To complete your free HTTPS Windows setup, redirect HTTP traffic to HTTPS.

Method 1: Using URL Rewrite (Recommended)

1. Install URL Rewrite module (if not installed)

2. Open IIS Manager

3. Select your website

4. Open URL Rewrite

5. Click Add Rule(s)

6. Choose Blank Rule

Configure:

• Condition: {HTTPS} off

• Action: Redirect

• Redirect URL: https://{HTTP_HOST}/{R:1}

• Redirect Type: Permanent (301)

Now all visitors will be automatically redirected to HTTPS.

---

Step 7: Automatic Renewal Configuration

Let’s Encrypt certificates expire every 90 days.

Luckily, Win-ACME sets up:

• Windows Scheduled Task

• Automatic renewal check

• Silent renewal process

To verify:

1. Open Task Scheduler

2. Look for Win-ACME task

3. Confirm it runs daily

You don’t need to manually renew your certificate.

---

Troubleshooting Common Issues

1. Validation Failed

Check:

• Domain DNS is correct

• Port 80 is open

• No firewall blocking traffic

2. HTTPS Not Working

Verify:

• SSL binding exists in IIS

• Port 443 open

• Certificate installed correctly

3. Mixed Content Warning

If browser shows insecure warning:

• Update internal links to HTTPS

• Check images, scripts, CSS

• Fix hardcoded HTTP URLs

---

Why HTTPS Is Important for SEO

Google prioritizes HTTPS websites in search rankings.

SSL provides:

• Data encryption

• Improved trust

• Better SEO ranking

• Secure login forms

• Protection from MITM attacks

For deeper understanding of SSL and encryption concepts, you can explore helpful technical breakdowns on platforms like Medium’s BeingCoders section, especially discussions around SSL implementation available at https://medium.com/beingcoders/search?q=ssl. (these are the best articles to refer)

Additionally, if you're exploring broader Windows hosting optimizations, server tuning, or web security practices, resources on platforms like 9mood.com provide valuable technical insights for developers and system administrators.

---

Security Best Practices After Installation

Once SSL is installed:

1. Enable HTTP Strict Transport Security (HSTS)

2. Disable old TLS versions (TLS 1.0, 1.1)

3. Enable TLS 1.2 / 1.3 only

4. Keep Windows updated

5. Monitor certificate expiry logs

---

Advanced: Multiple Domains (SAN Certificate)

If your IIS hosts multiple domains:

Win-ACME allows:

• SAN (Subject Alternative Name) certificates

• Wildcard certificates (DNS validation required)

• Manual or advanced configurations

For wildcard certificates, DNS-01 challenge is needed.

---

Summary: Complete Let’s Encrypt Windows 11 Setup

You’ve successfully learned how to:

✔ Install IIS
✔ Download Win-ACME
✔ Generate SSL certificate Let’s Encrypt Windows
✔ Configure SSL for IIS
✔ Enable automatic renewal
✔ Force HTTPS redirect

This method is:

• Free

• Secure

• Automated

• SEO friendly

• Production ready

---

Final Thoughts

Setting up Let’s Encrypt Windows 11 with Win-ACME is one of the easiest ways to secure your IIS website without spending money on commercial certificates.

In today’s digital world, HTTPS is mandatory—not optional. Whether you're hosting a blog, business site, or internal application, implementing SSL ensures encrypted, trusted communication.

With this complete Win-ACME Windows setup guide, you now have everything needed to secure your Windows 11 web server professionally and efficiently.

If you’re planning to deploy more production-ready Windows servers, consider automating security practices and regularly reviewing best SSL configurations to maintain long-term reliability.