Skip to main content

Command Line (CLI)

A set of command line are available using the tool certify.exe which is found in the installation directory. The commands must be performed using an elevated administrators account.


Most users do not need to use the command line options at all. By default all certificate renewals are taken care of automatically by the Certify background service.

Usage: certify <command>

Manage ACME Accounts

  • certify acmeaccount list: list registered acme account details (JSON output)

  • certify acmeaccount add <ACME CA ID> <your contact email> <optional EAB key id> <optional EAB Key>: add a new ACME account

You can use the acmeacccount add command to add/create a new ACME account registration. Using this command implies your agreement with the chosen ACME CAs current terms and conditions :

Example - Create Let's Encrypt Account:

certify acmeaccount add [email protected]

Example - Add Zero SSL Account with your EAB key id and key:

certify acmeaccount add [email protected] "abcdkeyid" "_Example_Key_Value_"

Listing Managed Certificates

  • certify list : list managed certificates and current running/not running status in IIS

  • certify list --json <path-to-output-json> : output list of managed certificates as JSON to a given file path.

Performing Renewals and Deployment Tasks

  • certify renew : renew certificates for all auto renewed managed certificates, if they are due or have not yet been requested.

  • certify renew --renew-all-due : renew all certificates which are due or have not yet been requested even if auto-renew is not enabled.

  • certify renew --force-renew-all : renewal for all auto renewed certificates even if they are not yet due.

  • certify renew --renew-witherrors : attempt renewal for all certificates which have most recently failed to renew.

  • certify deploy "<managed cert id>" "<task id>" : perform a specific deployment task for the given managed certificate. See the Manual trigger mode for deployment tasks.

Adding or Remove Managed Certificates

  • certify importcsv : import managed certificates from a CSV file. See CSV Import for more details

The certify add and certify remove commands can be used to add or remove domains from an existing managed certificate or create a new managed certificate. You can find the correct managed certificate ID in the app under Certificate > Advanced > Actions > Managed Certificate Reference Id (e.g. a02e3afe-49ba-470a-83e5-2e397aa946eb:1). The remove command accepts any as the managed cert id to remove the matching domains from any managed certificates.

These will not request/renew the actual certificate unless you append --perform-request to the end of the command. These commands assume the same domain validation settings are being used for all domains on the same managed certificate:

  • certify remove <managed cert id, or any>; : remove one or more certificates from the configuration of a managed certificate. If removing a domain will mean there are zero domains remaining on the certificate then the managed certificate will be removed completely.

  • certify add <managed cert id, or new>; : add one or more additional domains to the configuration of a managed certificate. e.g. certify add new

  • certify add new; --template C:\Temp\managedcert-template.json : add new managed cert with given domain, using a template (json exported from an existing managed cert).

using templates

Templates are an advanced feature intended only for users who require managed certificate automation with non-default challenge configuration (e.g. DNS validation).

To generate a template:

  • Use certify list --json output.json to export your managed certificates as JSON
  • Edit the JSON file down to a single item, removing the array [ ... ]
  • Save the file as your new template. Domains etc will be discarded from the template and you still need to provide these arguments

Templates are not guaranteed to stay compatible between major version updates so you should test integrations which use them with each new release.


  • certify diag : check existing ssl bindings and managed certificate integrity

  • certify httpchallenge keys=stop,configcheck : run the temporary http challenge server on port 80 to test firewall and routing configuration. This uses http.sys to register a listener for ACME http challenges as http:/*/.well-known/acme-challenge/ and will not conflict with IIS. The server will run for 60 seconds after the last matching request is received or until stopped by calling the control key.

With the example control key stop and config check key configcheck you can:

  • test your servers response using http://<your domain or server ip>/.well-known/acme-challenge/configcheck e.g.
  • stop the service using http://<your domain or server ip>/.well-known/acme-challenge/stop.

The user agent returned should be Certify/HttpChallengeServer

Managing license activation

  • certify activate <email> <key> : activate the license for this instance of Certify The Web. Useful for larger scale automated deployments.

  • certify deactivate <email> : deactivates the license for this instance of Certify The Web.