Let’s encrypt generate a PFX with IIS


In this tutorial, I will explain how to generate a Let’s Encrypt certificate in PFX and then import it on another IIS server, in Exchange or on an RDS gateway.

In the tutorial: Installing a Let’s Encrypt certificate on IIS, I explain how to generate a Let’s Encrypt certificate with IIS. This article is produced with a version 1.9 of WACS, which allows the export in PFX of the certificate after generation.

Since version 2.X of WACS is out and no longer allows the export of the private key if we pass the method explained,.

Using Let’s Encrypt services for the generation of certification for the RDS gateway, version 2.X no longer allows the import of the certificate by the administration console, since it is necessary to provide a certificate in PFX format.


  • An IIS web server.
  • Download Windows ACME Simple (WACS).
  • Have the site (s) to configure on the IIS server on port 80 and accessible from the Internet.
  • If necessary copy the file Web_Config.xml to the directory of Internet sites which available in the WACS archive.

Generate a Let’s Encrypt PFX

Run WACS as Administrator, right click on wacs.exe 1 and click on Run as administrator.

Lauch wacs.exe

Once the menu loaded, enter the letter M to create a certificate in full options mode.

full options

Use option 1 (IIS) to list the available domains.

How to list domain - IIS

Select the IIS site where the domain is linked.

Choose IIS

Enter choice 1: Pick specific binding from the list.

Select site

Include bindings, validate by pressing Enter.

Select domain

Confirm the selection of the domain (s) found by pressing Enter (yes).

valid domain

Confirm again by pressing the Enter key.

Alternative name

Select a validation method, default 2.

Select valid method

Choose the type of key, by default RSA Key 2.

select RSA Key

Choose the certificate output mode, select 1 to generate a PFX – IIS Central Certificate Store (.pfx per domain).

IIS Central Certificate Store (.pfx per domain)

Enter the location where the certificate will be saved.

Folder for save file

Enter the password for the PFX file.

Choose another certificate output location if necessary, default 3.

Enter choice 4 to not take any additional action.

Wait while generating the certificate.

Once the certificate has been generated, WACS offers to update the renewal task, by default No.

Exit WACS.

Get the certificate format PFX

Open Windows Explorer and go to the location configured during the generation of the certificate to recover the file.

Related Posts

GPO: Deploy a certificate

Presentation In this tutorial, we will see how to deploy a certificate on computers using a GPO. Some cases where you may need to distribute a certificate: Internal Certification Authority Appliance c

HTML5 client for Microsoft Remote Desktop Service

"Finally an HTML5 client for Windows RDS farms" Presentation In this tutorial, I explain how to set up the HTML 5 client interface to connect to the RDS farm on Windows. Until now to connect to Remote

SOPHOS XG: clientless access

Clientless access presentation Client-free access to Sophos XG firewalls allows connections to corporate servers without a VPN client by going directly through an internet browser as Citrix does. Clie