Free Exchange Certificate

KB ID 0001739


A couple of weeks ago I wrote an article about getting free certificates for IIS with ‘Let’s Encrypt’. Last week the renewal for my ‘test’ Exchange server’s certificate came though. So I thought “Why don’t I try and get a ‘Free Exchange Certificate’?”

Free Exchange Certificate

Before we start let’s take a moment to take a look at our existing Exchange Certificate, as you can see it’s a publicly signed and trusted certificate, the only thing wrong with it, is it’s going to expire in a couple of weeks, yours may have already expired, or you may be running a self signed SSL certificate, (horror!)

Exchange Free Certificate

To do all the heavy lifting you need a peice of software, the easiest (I’ve seen) is win-acme (at time of writing the latest version is you simply download it as a zip file.

Free Certificate Let's Encrypt

Extract the contents of that zip file to a folder on your hard drive.

win-acme free IIS certificate

Apply For & Install the Free Exchange Certificate

Open an administrative command prompt > Navigate to the folder you just created > run wacs.exe

Install Let's Encrypt Certificate in IIS

WARNING: Some other run throughs I’ve read, have different option numbers, (wacs.exe has obviously been updated). So instead of just posting the Number to select I’ll post the Option, then put the number, (or letter) of that option in brackets, (in case they change the option numbers again!)

Create a new certificate (full options) {m} > Manual Input {2}.

Free Exchange Certificate

Manual Input {2} > Enter the public filly qualified domain name(s) of your exchange server (spectated by commas) > Press Enter to accept the default friendly name (unless you want to specify your own).

Get a Free Exchange Certificate

[http-01] Serve certification files from memory {2} > RSA Key {2}. 

Note: You will need TCP Port 80 open to the Exchange server for this to work, (in most cases you will only have HTTPS or TCP Port 443 open!)

Aquire a Free Exchange Certificate

Windows certificate store {4} > No (additional) store steps {5}.

How to Get a Free Exchange Certificate

Create or update https binding in IIS {1} > Default Web Site {1} > Start external script or program {3} > Paste in the following;


Let's Encrypt Exchange

At the prompt paste in the following;

'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'

No (additional) installation steps {4}.

Free Let's Encrypt Exchange SAN Certificate

No, (or it will open the terms and conditions in another window) > Yes (your soul now belongs to Let’s Encrypt!) > Type in an email address  > Quit {q}

Free Let's Encrypt Exchange Autodiscover Certificate

Now reconnect to either OWA or the Exchange Admin Center > And you should see you have a new certificate.

Replace Exchange Certificate with Free one

It only lasts three months! That’s correct but;

Let’s Encrypt Free Exchange Certificate Auto Renewal

As well as getting your certificate, win-acme also created a scheduled task to check your certificate validity and renew it before it expires. Cool eh?

Lets Encrypt auto renew

Where Does Win-ACME Store its information

Good question, it took me a little while to find that out, essentially once ran it creates a new folder in %programdata% (That’s a hidden folder on the C drive usually) called win-acme all your settings are in there, so if you make a mistake like enter the wrong email address, you can delete this folder and start again.

How To Remove Let’s Encrypt Exchange Free Certificate & Settings

  1. Remove the certificate from Exchange Admin Center.
  2. Remove the win-acme folder from %Programdata%.
  3. Delete the scheduled update task from ‘Task Sheduler‘.

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. NIce Job Sir. Thanks for this!

    Post a Reply
  2. As Always, Thank you for this.
    You have awesome tutorials and thank you for sharing your knowledge.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *