Windows Server

Prerequisites

Feedback
A Windows Server instance running with administrative access.
Feedback
A certificate profile configured with the ACME enrollment method in Hanzo KMS.
Feedback
Network connectivity from your Windows Server to Hanzo KMS.

Guide

Navigate to your certificate management project in Hanzo KMS and locate your certificate profile configured with the ACME enrollment method.

Click the Reveal ACME EAB option to view the ACME configuration details.

From the ACME configuration, gather the following values:

• ACME Directory URL: The URL that win-acme will use to communicate with Hanzo KMS's ACME server. This takes the form https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory.
• EAB Key Identifier (KID): A unique identifier that tells Hanzo KMS which ACME account is making the request.
• EAB Secret: A secret key that authenticates your ACME client with Hanzo KMS.

Keep your EAB credentials secure as they authenticate your ACME client with KMS PKI. These credentials are unique to each certificate profile and should not be shared.

Install win-acme on your Windows Server using one of the following methods.

1. Visit the win-acme releases page.
2. Download the latest stable release ZIP file.
3. Extract the contents to a folder (e.g., C:\win-acme).
4. Open Command Prompt or PowerShell as Administrator.
5. Navigate to the win-acme folder.

cd C:\win-acme

If you have .NET Core installed, you can install win-acme as a global tool:

dotnet tool install win-acme --global

This makes the wacs command available system-wide.

Run the following win-acme command to request a certificate from Hanzo KMS:

wacs.exe --target manual --host example.kms.hanzo.ai --baseuri "https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory" --eab-key-identifier "your-eab-key-identifier" --eab-key "your-eab-secret" --validation selfhosting --store pemfiles --pemfilespath "C:\certificates" --verbose

For guidance on each parameter:

• --target manual: Specifies manual target configuration for domain specification.
• --host: The domain name for which the certificate is being requested.
• --baseuri: The Hanzo KMS ACME directory URL from Step 1. This instructs win-acme to communicate with Hanzo KMS's ACME server instead of other ACME providers.
• --eab-key-identifier: Your External Account Binding (EAB) Key Identifier from Step 1.
• --eab-key: The EAB secret associated with the KID from Step 1.
• --validation selfhosting: Uses self-hosting validation method to solve the HTTP-01 challenge.
• --store pemfiles: Stores certificates as PEM files in a specified directory.
• --pemfilespath: Directory where certificates will be saved on your Windows Server.
• --verbose: Enables detailed logging for troubleshooting and monitoring the certificate request process.

The win-acme command generates a private key on your server, creates a Certificate Signing Request (CSR) using that key, and sends the CSR to Hanzo KMS for certificate issuance. Win-acme stores the private key and resulting leaf certificate and full certificate chain in the specified directory path.

Replace the placeholder values with your actual configuration:

• example.kms.hanzo.ai: Your actual domain name
• https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory: Your Hanzo KMS ACME endpoint from Step 1
• your-eab-key-identifier and your-eab-secret: Your External Account Binding credentials from Step 1
• C:\certificates: Your desired certificate storage location

Win-acme supports various certificate storage options beyond PEM files. Here are common alternatives for different deployment scenarios:

Store certificates directly in the Windows Certificate Store for integration with IIS and other Windows services:

wacs.exe --target manual --host example.kms.hanzo.ai --baseuri "https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory" --eab-key-identifier "your-eab-key-identifier" --eab-key "your-eab-secret" --validation selfhosting --store certificatestore --verbose

Generate PFX files with password protection for easy deployment across Windows environments:

wacs.exe --target manual --host example.kms.hanzo.ai --baseuri "https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory" --eab-key-identifier "your-eab-key-identifier" --eab-key "your-eab-secret" --validation selfhosting --store pfxfile --pfxfilepath "C:\certificates" --pfxpassword "your-secure-password" --verbose

For IIS Central SSL store integration in high-scale environments:

wacs.exe --target manual --host example.kms.hanzo.ai --baseuri "https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory" --eab-key-identifier "your-eab-key-identifier" --eab-key "your-eab-secret" --validation selfhosting --store centralssl --centralsslstore "C:\CentralSSL" --verbose

Win-acme can automatically create a Windows Scheduled Task for certificate renewal. Because win-acme stores the ACME server URL and EAB credentials from your initial request, renewal will automatically use the same Hanzo KMS ACME configuration—no additional settings are required.

Option 1: Enable during initial certificate request

Include the --setuptaskscheduler parameter in your initial command to automatically create the renewal task:

wacs.exe --target manual --host example.kms.hanzo.ai --baseuri "https://your-kms-instance.com/api/v1/cert-manager/certificate-profiles/{profile-id}/acme/directory" --eab-key-identifier "your-eab-key-identifier" --eab-key "your-eab-secret" --validation selfhosting --store pemfiles --pemfilespath "C:\certificates" --setuptaskscheduler --verbose

Option 2: Test manual renewal

You can test the renewal process manually before setting up automation to ensure the configuration works correctly:

wacs.exe --renew --force --verbose

This command simulates the full renewal process and verifies that win-acme can successfully contact Hanzo KMS and renew your certificate using the stored configuration.

Option 3: Verify scheduled task creation

Check that the scheduled task was created successfully:

Get-ScheduledTask -TaskName "*win-acme*"

The automatic renewal task will:

• Run under the SYSTEM account for elevated privileges.
• Check certificates daily for renewal eligibility.
• Automatically renew certificates that are within the renewal threshold (typically 30 days before expiration).
• Log renewal activities to Windows Event Viewer and win-acme log files for monitoring and troubleshooting.

Win-acme stores renewal configurations automatically in its settings directory, so once a certificate is created, the renewal process will use the same parameters (ACME endpoint, EAB credentials, storage options) for future renewals. The renewal threshold can be adjusted in the win-acme configuration files if needed.

After successful certificate issuance, verify that the certificate files have been created correctly based on your chosen storage method.

Check your specified PEM files directory to ensure all certificate components are present:

Get-ChildItem "C:\certificates" -Filter "*.pem"

You should see files like:

• example.kms.hanzo.ai-crt.pem (certificate)
• example.kms.hanzo.ai-key.pem (private key)
• example.kms.hanzo.ai-chain.pem (complete certificate chain)
• example.kms.hanzo.ai-chain-only.pem (only certificate chain)

If you used the certificate store option, check that the certificate was properly installed using PowerShell:

Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*example.kms.hanzo.ai*"}

The certificate should appear in the Local Computer Personal certificate store, making it available for use with IIS, other Windows services, and applications that integrate with the Windows Certificate Store.