ISRG Root X1 signed certificates with win-acme for IIS

On september the 30th of 2021, the Let's Encrypt DST Root CA X3 certificate expired .

If you are hosting a website on Windows Server with IIS, if you generated your TLS certificates with win-acme and if you don't have the new ISRG Root X1 certificate in your Windows trust store, the certificates of your website were signed with the now obsolete DST Root CA X3, and your website/service might not be accessible by some clients.

To generate certificates signed with the ISRG root certificate, you need to first install this Root cert in your trust store.

  • On your Windows Server, download the self-signed ISRG Root X1 der certificate :

  • Then install the certificate.

  • Disable the old DST Root CA X3 :
    Windows > "Manage computer certificates" > Trusted Root Certification Authorities > Certificates
    Then right-click "DST Root CA X3" > Properties and tick "Disable all purpose for this certificate".


You can now generate new valid certificates for your websites with win-acme client.