Certify the Web is a popular ACME client that can be used to secure IIS websites with free Let's Encrypt certificates. This guide provides detailed instructions on installing the client and issuing certificates.


This article has a video guide available.

Coming Soon!

Step-by-step guides in this article:

  1. Installing Certify the Web
  2. Securing website(s) using Certify the Web
  3. How renewals work with Certify the Web
  4. Using DNS validation

Installing Certify the Web

1. Navigate to Certify the Web's website and download the latest version: https://certifytheweb.com/

2. Run the downloaded installer to install the service.

3. When the installer completes, check the box to open the client to ensure it opens as expected.

Securing website(s) using Certify the Web

Certify the Web uses HTTP validation by default, which requires the website to be pointed to the server in order to work. You can also configure DNS validation in the settings if preferred.

1. Open the Certify the Web desktop client.

2. Click on "New Certificate".

3. Under the "Identifiers" section, select the drop-down and choose the IIS website for which you want to generate certificates.

  • After selecting the drop-down, you will notice the name field automatically fills with the IIS site name. You can change this, if desired and click "Save".

4. Check the boxes for each hostname configured under the IIS site that you want to secure. By default, every binding will be selected.

  • You can also add additional hostnames not configured in the bindings by using the "Add domains to certificate" field.

5. When ready to generate the certificate, click the "Request Certificate" button.

6. You will now see a progress screen that shows which step in the certificate issuance the app is on. You should eventually see a green success message that means everything is good to go. If you see an error message, you will need to view the details of the error in order to know why the certificate could not be issued.

How renewals work with Certify the Web

Certify the Web defaults to using Let's Encrypt for generating certificates. These certificates are valid for 3-month periods before expiring, so it is important to make sure certificates are set to renew automatically as the date gets closer to the certificate expiring. By default, certificates are set to attempt renewal at 75% through the total lifespan of a certificate. For example, if a certificate is valid for 90 days, then after 67.5 days, the certificate will attempt renewal. This gives plenty of time before the expiration to get the cert renewed in case any issues arise during the renewal period.

While the certificate renewals are automatic, you can manually request the renewal of a certificate or change the renewal policy for a specific certificate. For example you can change the lifespan % at which the cert attempts renewal or set it to renew within x number of days of expiration.

Using DNS validation 

DNS validation is not enabled by default since it requires some additional configuration. When enabled and configured, you can issue SSL certificates for websites regardless of whether they are live on the server. This powerful validation is a great option for those migrating between servers and need to secure the website on the new server, which is required for HTTP validation before making the domain live.

To enable DNS validation follow the steps below:

1. Navigate to the "Settings" tab, then select "General Settings" if not already there.

2. Enable the "Enable DNS Validation Checks (Resolution, CAA, DNSSEC)" option.

3. Next, select the "Stored Credentials" tab and then click the "Add New Stored Credential" button.

4. You should now select your credential type, which is dependent on what type of DNS server your domain(s) are using. Certify the Web integrates with most of the popular DNS providers.

  • If your DNS is hosted on the server using Microsoft DNS, choose the Microsoft DNS API option.
  • If your DNS is hosted on Cloudflare, then use the Cloudflare DNS API option.
  • For all other options, check if your DNS provider is listed, and if so, select the desired option.

5. With your desired option selected, enter the custom fields related to the DNS platform you chose. For example, some platforms require an API key, username and/or password.

  • If you chose the Microsoft DNS API option, then use 127.0.0.1 as the domain and an administrator username and password in their respective fields.

6. Provide a name that references your DNS server, enter the correct credentials that allow Certify the Web to connect to your DNS provider, and then click "Save."

7. Now that you have DNS validation enabled and configured, you can set a certificate to use the DNS validation option by clicking "Authorization" on the new or managed certificate, then changing the "Challenge Type" to DNS.

  • Depending on your DNS type, you may need to change the "DNS Update Method" drop-down to the correct type, at which point your stored credential should then automatically be selected. If not, you can click the "Credentials" drop-down to find your stored credential or click "New" to create a new credential.


 If you need any help using Certify the Web or issuing certificates, please get in touch with our Support team.