Skip to content

Releases: win-acme/win-acme


13 Mar 19:13
Choose a tag to compare

Bug fixes

  • Fixes "CryptographicException - Unable to store certificate" error that occurs when both PrivateKeyExportable and UseNextGenerationCryptoApi are disabled (#2329, #1350), introduced in 2.2.2 and reported by many users, first by @douglassimaodev
  • Fixes verbose mode not enabled when /verbose syntax instead of --verbose
  • Fixes sensitive arguments echoed back to logs when using /secret syntax instead of --secret


12 Mar 09:03
Choose a tag to compare


  • Windows has two ways to handle private key material stored in the Certificate Store. There is the legacy method which stems from ancient history and the "Next-Generation" method (CNG) that was introduced in Windows Server 2008 and Vista. This program uses the legacy method by default, because some old software depends on it. For example, some older versions of Exchange are known to fail if the mail certificate is stored using CNG. Also, certificates stored using CNG cannot be directly exported from the IIS Manager regardless of the "exportable" settting (even though they are exportable in other ways). Those use cases are obviously limited and probably don't outweigh the security and flexibility benefits of using the CNG system for most users, so this release offers a new configuration settting UseNextGenerationCryptoApi to enable it.
  • The disk log now always contains full verbose information, which will make it much easier for us to diagnose difficult to reproduce issues for user.
  • The PrivatekeyExportable setting was moved from the Security section to the Store.CertificateStore section, because it's only relevant there. Having the setting present at the old location will still work to preserve backwards compatibility, but the default settings.json looks different now.


  • The CSR source plugin was broken in release 2.2.0 (#2324, reported by @wldlkh)
  • The GoDaddy validation plugin was broken in release 2.2.1 (#2323, reported by @LeeThompson)
  • Using --acl-fullcontrol didn't work for EC private keys.
  • Certificates were using CNG by default, but were supposed to use the legacy method for backwards compatibility (#2321, reported by @sunstarjeff)


03 Mar 01:45
Choose a tag to compare

New features

  • Add Linode (Akamai) plugin for DNS validation, contributed by @RedFox4
  • Implemented plugin system for the secret vault. This should be considered an experimental feature, but it allows developers to create backends for secret management that can run side-by-side with the built in JSON-file, making it possible to integrate third party solutions like Hashicorp or others into win-acme. All it takes is to implement the ISecretService interface and include the .dll in the program directory.


  • Make --validationmode tls-alpn-01 work without also having to specify --validation
  • Set TTL=60 for Cloudflare and GoDaddy DNS validation for faster updates (#2312)
  • DNS prevalation finetuning: better logging, check all nameservers on each pass, randomize order
  • Support TLS-APLN-01 validation on IPv6, requested by @no1d (#2307)


Note: some of these fixes were already included in later builds of version 2.2.0.

  • Fix validation error messages returned by the server not showing properly
  • Fix broken Azure plugin due to forwarding synchronous http requests to asychrounous handler, discoverd by @ditchcode (#2311)
  • Fix DNS and TLS-ALPN-01 validation plugins not selectable from the command line
  • Fix TLS-ALPN-01 validation for multiple host names in one pass, discovered by @no1d (#2307)
  • Fix broken filesystem/ftp/webdev validation, reported by @SteffenAL (#2305)
  • Fix broken external plugins, first reported by @aadnehovda (#2304)
  • Fix DNS pre-validation disabled by default for new installations (#2312)
  • Fix DNS pre-validation using cached results, causing it to always fail when long TTL is used (#2312)
  • DnsMadeEasy plugin is now actually built by CI/CD and included in the release assets
  • Add missing --friendlyname parameter to command line description
  • Never delete cache files before the renewal period as defined by ScheduledTask.RenewalDays has passed, regardless of user setting for Cache.DeleteStaleFilesDays, based on feedback by @AliDodd (#2319)


This release was funded by

One gold sponsor:

Two silver sponsors:

And four bronze sponsors:


If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.


04 Feb 22:23
Choose a tag to compare

New features

  • The full options menu now exposes the 'order' step, which allows you to split your source into multiple certificates. This can be useful when you run into limits imposed by your ACME provider (e.g. Let's Encrypt only supports 100 host names per certificate), want to generate certificates for many websites without micro-managing the associated renewals, and/or want to prevent information disclose through the SAN list. This feature has been available through the command line for a long time, but is now considered mature enough for a broader audience.
  • With the new global validation options it's possible to create certificates with a mix of different validation options. You might for example use HTTP-01/FTP validation for and DNS validation for * Inspired by an idea coined by @JensSpanier (#2032). This also makes it easier to handle complicated validation settings. For example Azure requires some five pieces of difficult to remember information to do DNS validation, which until now had to be provided and maintained for each renewal seperately.
  • Added a new external plugin to store certificates in the CurrentUser store instead of the LocalSystem store, as requested by @cvalka2 and others (#2213).
  • Added a new external plugin for DNS Made Easy, contributed by @cboyce428 (#2230)
  • It's now possible to customize the file name used in the PFX and PEM store plugins, instead of that being hardwired to reflect the common name of the certificate, as requested by @Dezeptor (#2231).
  • When disabling the certificate cache (setting it to 0 days) no private key material will be stored anywhere except when and where specifically requested. @florian-re brought this need to our attention (#2286).
  • The renewal manager now includes an option to show the command line arguments that may be used to (re)create the renewal. This is not a 100% water tight solution because some things can only be done by going through the menu's interactively, but should help the discoverability of unattended mode and provide an easier path for people getting into automation. Suggested by @elitegoodguy and @cesarchefino.


  • Plugins have seen many changes in this release, which is the reason this release is designated as version 2.2.0 instead of 2.1.24. If you've built your own plugin, you'll have to adapt it to use the new interfaces designed for this release. Generally this will increase code quality by reducing redundancy and resolving several awkward bits that sneaked in over the years as demands for the previous system shifted. As an end-user, this should have no noticable effect, except for more meaningful and context-aware error messages in several places.
  • The program is now built using .NET7, keeping up to date with the latest and greatest from Microsoft and improving the file size and reliability of the self-contained executable (e.g. #2192). Several of the larger classes have been refactored into smaller pieces to improve code readability and maintainability, and the whole solution has been cleaned of warnings.
  • Download size of the trimmed package has been reduced by about 2MB.
  • Newtonsoft.Json has been removed in favor of Microsofts own System.Text.Json.
  • Azure plugins for DNS and KeyVault have been updated to use the next-generation ResourceManager packages, as well as various other third party dependency updates.
  • Added a "no cache" (--nocache) switch and renewal manager menu option to be specifically different from "force" (--force). The latter ensures that renewals are always due, while the former temporarily disables the cache. This resolves some illogical behaviour, as pointed out by @aleekso in #2257.
  • Intermediate certificates will no longer be installed to the Windows Certificate Store in --test mode, as per Let's Encrypts security recommendations. This helps to prevent your machine from trusting other test certificates.
  • If an error happens during an otherwise succesful renewal (e.g. triggered by an installation script), the notification system will still send a high priority notification, as requested by @baconliker in #2283.
  • You will no longer be able to pick the IIS installation step more than once. There is currently never any need to do this, but the possibility led users to believe that it may be needed or useful (e.g. #2236).
  • For ACME services that provide long-lived certificates, it's now possible to change the cache system to keep files longer than 120 days, as requested by @FISHMANPET (#2255).
  • @mike6715b contributed an example script for the Veeam Cloud Gateway.
  • An option has been added to settings.json to disable the datetimestamp that is normally appended to the friendly name of certificates, increasing the level of control over the final outcome, as requested by @willt (#2298).

Bug fixes

  • Attempting first-time setup with EAB credentials at ZeroSSL would fail due to the program asking for user input.
  • Encrypt/decrypt private keys stored in the order cache when calling --encrypt, this was previously ignored.
  • Don't show message "Test message sent" when it actually fails, reported by @kostamoisidis (#2208)
  • The IIS FTP service would not always be detected properly, reported by @morhans (#2272)
  • When cancelling a certificate using the command line, the cache would not be cleared.


20 Oct 19:09
Choose a tag to compare


  • #2227 - Security improvement: the data folders created by win-acme under %ProgramData% were readable to all users on the system. Even though all sensitive data is encrypted, a malicious user or software sharing the system with win-acme could access it. This update will limit access to the folders by removing access to the built-in Users group. If you require non-administrators to use or access the program, you will have to grant them access manually by other means (e.g. by adding them to the ACL personally, or by creating a specific group). Thanks for bringing this to our attention @User-26.
  • #2226 - It's now possible to use secrets from the secret vault as parameters to the Script plugin. For example if you have an installation script that requires an API key, said key doesn't have to be stored in plain text anymore. Read the documentation here. This nice idea came from @chillware.
  • #2215 - Improve logging for failed orders, thanks @CastaS.
  • #2178 - FTP validation plugin now captures FTP log output, based on feedback by @svarga91
  • Update renewal JSON format to be more space efficient and accurate, especially when used with Order plugins and randomized due dates.
  • Various dependancy updates.

Bug fixes

  • #2189 - @PL-Peter updated the Exchange example script to be compatible with the latest version of the ExchangePowerShell module.
  • #2170 - When using the IIS and IISFTP installers in a single renewal, you would run into an exception after upgrading to v2.1.20 or higher. Reported by @NETvide.
  • #2171 - @tsimmons noticed a small issue in the verbose logging output at startup.


13 Jul 20:43
Choose a tag to compare


  • #2131 - Uncompleted authorisations are now deactivated to prevent users from running into server rate limits, as happend to @LumKitty.

Bug fixes

  • #2144 - When using a custom CSR source plugin, the PFX store plugin would crash, thanks @CastaS for reporting this!
  • #2157 - The renewal manager would show incorrect expire dates, thanks for noticing @cyr224.
  • #2165 - In some edge cases, DNS validation would fail, found by @hadesz.
  • #2155 - Domain names with unicode characters would fail to validate, reported by @iqmeta.


15 May 11:45
Choose a tag to compare

Bug fixes

  • #2115 The order plugin Domain didn't generate valid common names in all cases, found by @cvocvo
  • For renewals split into multiple orders
    • Not all of them would be checked to see if a pre-mature renewal was required
    • Due to a cache invalidation issue, after renewing one of the orders, all other orders would become due in the next run
  • #2118 - Do not return exitcode -1 from the program when renewal is aborted, found by @cmann-andagon.
  • The cached list of IIS sites and bindings is now refreshed after every action in the renewal manager, to get more accurate behaviour when using win-acme and the IIS Manager side by side.
  • #2120 - Users might run into an error when creating a certificate with a wildcard domain without the matching root domain included. Found by @uzairali001.
  • #2110 - The external script runner (used by the script installation and validation plugins) would not always register the exit code of the script properly. Noticed by @justarandomgeek.


07 May 12:22
Choose a tag to compare


@rmja contributed a DNS validation plugin for Simply DNS.


  • Greatly enhanced the practical usability of Order plugins, which can be used to split a single renewal into multiple certificates. You can use this for example to very easily get a seperate certificate for each website in IIS, without spending a lot of time creating and managing seperate renewals. Order plugins are still a somewhat "hidden" feature because from interactive mode you automatically choose the "single order" plugin, even when you go through the full options menu. But they are documented and usable through the command line.
    • It's now possible to validate different orders from the same renewal in parallel, saving a lot of time when using one of the DNS methods. Note that not every DNS plugin supports this parallel mode of operation, but some of more popular ones (Azure and AWS) do. This requires DisableMultiThreading to be set to false in setttings.json.
    • The cache mechanism has improved to better handle renewals with multiple orders, both in terms of correctness and performance.
    • Fix a bug where IIS installation might not work properly when combined with an Order plugin.
    • Fix a bug where Order plugins should not be available when using a manual CSR.
    • Fix a bug where the program would complain about >100 SAN names, even though the renewal was going to split.
    • Better feedback through log messages.
  • It's now possible to randomize the date when the renewal should run. This is useful for anyone worried about the impact of updating a large amount of certificates all at once. This works both with renewals and with specific orders withing the renewal. E.g. if you have 1000 certificates to manage, you can configure the program to randomly renew ~100 of them every day over a 10 day period, by setting RenewalDaysRange to 10 in settings.json. The default behaviour remains identical to previous versions.
  • The PfxFile store plugin now uses the BouncyCastle library instead of native .NET code to export the archive, which makes the key identifiers predictable and therefor easier to consume.
  • @skacurt made the CloudFlare plugin a bit more efficient by requesting 50 zones per page instead of 20.
  • Improved logging and exception handling around certificate downloads.
  • @SysAdmLS made it possible to use .cmd as an extension for the script installer.
  • #2081 - For DNS pre-validation the program will no longer try to communicate with the root servers, because we found a case where there was an unexplainable difference between the root servers replies and replies by all major public providers.
  • The FTP(S) validation plugin is now based on FluentFtp.NET instead of (recentely deprated) FtpWebRequest from .NET. This modern library makes the plugin much more reliable and able to talk to more types of servers.
  • #2085 - When using the Script DNS validation plugin, it's not possible enable parallel operations using the --dnsscriptparallelism parameter or by answering a question in the UI. This allows multiple records to be validated simultaneously, which can be a big time saver due to propagation delay issues. Requested by @LumKitty.
  • Update various NuGet packages


  • #2084 - Using a manual CSR was broken in one of the recent release. Thanks for the report @navels!
  • #2076 - Fix superfluous warning messages about "Existing https binding ... not updated" when targeting multiple IIS sites for installation, thanks @Duber888 and @ppetrov for helping to reproduce this issue.
  • #1970 - It was not possible to combine --renew with --friendlyname to filter which certificate should be renewed. Found by @roddharris.
  • When using the IIS Central Certificate Store, the program would sometimes fail to create new bindings, even though they were needed.


15 Feb 10:12
Choose a tag to compare


  • @ysc3839 contributed a plugin to do DNS validation with NS1.
  • @AbstractionAs contributed a plugin to DNS validation with


  • #2011 - @The00Dustin provided a new version of the ImportRDSFull.ps1 example script.
  • #2001 - Publish the debugger interface (mscordbi.dll) in the release assets, as suggested by @miloush.
  • #1932 - It's now possible to use the --emailaddress parameter for EAB accounts, requested by @mlonguet.
  • #2040 - Server connection check at startup has be come more thorough and provides better feedback about potential issues.
  • Upgraded the project to .NET6 and Visual Studio 2022
  • Update various NuGet packages.


  • #2004 - Fix IIS not being detected when only the FTP service is active, reported by @paynent.
  • #2015 - The command line option --validation selfhosting would not work unless --validationmode was also provided, reported by @sunib.
  • #2035 - The Cloudflare DNS validation plugin might fail when the API key gives access to more than 20 zones, reported by @m-ferrero.
  • #2043 - When unsuccesfully updating an existing renewal from the command line, a user prompt would appear and block further progres. Thanks for the bug report and pull request @sfclemens!
  • Fix infinite loop when plugin is not configured correctly.
  • The --ftpsiteid parameter didn't work anymore. Although obsolete due to the regular IIS installer being able to handle FTP sites now, it has been restored to ensure backwards compatibility with pre-existing automation.
  • #2041 / #2053 - When installing to multiple IIS websites and using non-standard ports, superfluous bindings could be created. Thanks for the reports @FootStark and @ironwithiniv.


17 Nov 20:56
Choose a tag to compare


#1993 - Support uppercase host names for WinRM script, thanks @monomosc!

Bug fixes

#1989 - Fix download link on the website, thanks @seirui
#1990 - Fix the program not creating a scheduled task when it was supposed to
#1994 - DefaultValidationMode in settings.json was ignored, thanks @Thoorium
#1991 - Fix use of the secret vault for the TransIP plugin, thanks @GJurriens