How To Run

Wouter Tinus edited this page Dec 30, 2017 · 14 revisions


There are three main use cases, interactive, unattended and scheduled.


Interactive mode can be launched by just starting the .exe and following the instructions on the screen. There are some Command Line Arguments which might be helpful for your purposes, such as --centralsslstore, --hidehttps and --warmup.


The other main way is to use unattended mode, which is triggered by the --plugin switch. Plugin refers to the target generator, of which the most common ones are as follows.

  • --plugin manual - input host names manually, optionally launch script to install it
  • --plugin iissite - create certificate for a specific IIS site and create/update bindings

Each plugin has their own inputs which it needs to generate the certificate, for example:

letsencrypt.exe --plugin manual --manualhost --webroot C:\sites\wwwroot

letsencrypt.exe --plugin iissite --siteid 1 --excludebindings

There are some other parameters needed for first-time unattended use (e.g. on a clean server) to create the Let's Encrypt registration automatically (--emailaddress --accepttos).

One more parameters is needed for a first run to either prevent the creation of a scheduled task (--notaskscheduler), or to accept that it will be created under the default SYSTEM credential (--usedefaulttaskuser). So a full command line to create a certificate for IIS site 1 on a clean server (except for the '' binding) would look like this:

letsencrypt.exe --plugin iissite --siteid 1 --excludebindings --emailaddress --accepttos --usedefaulttaskuser


While renewal is possible from interactive mode, most users would run it as a scheduled task, which the program offers to create for you in interactive mode. The --renew parameter renews all certificates which are due (55 days after creation by default), whereas --forcerenewal simply attempts to renew every certificate which has been created so far.