This article explains how to remove a Let’s Encrypt certificate in Windows if you decide to switch to another Certificate Authority (CA). The process involves several steps, including disabling auto-renewal, removing the certificate, and cleaning up related data.
Step 1: Removing the Auto-Renewal Task in Task Scheduler
When using the WACS client to install Let’s Encrypt certificates, a task is automatically created in Task Scheduler for certificate renewal. To disable it:
1. Open Task Scheduler by running taskschd.msc.
2. Locate the win-acme renew task (acme-v02.api.letsencrypt.org).
3. Disable or delete this task.
If you have multiple certificates with auto-renewal, use the following command to list them:
.\wacs.exe --list
To cancel the renewal of a specific certificate by its name:
.\wacs.exe --cancel --friendlyname "[Manual] 123356.softcomputers.org"
Auto-renewal settings for certificates are stored in *.renewal.json files in the directory C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org. You can simply delete the relevant JSON file with the settings.
Step 2: Revoking the Let’s Encrypt Certificate
To revoke a certificate, run the following command:
.\wacs.exe --revoke --friendlyname "[Manual] 123356.softcomputers.org"
You can also disable renewal tasks and revoke the certificate through the WACS utility menu. The option is located in the A: Manage renewals section:
Step 3: Disabling the Certificate in IIS
1. Open the IIS Management Console by running inetmgr.
2. Go to Site Bindings and select a different certificate for the site instead of Let’s Encrypt.
3. In the Server Certificates section, remove the Let’s Encrypt certificate.
You can also manually remove the certificate from the certificate store using:
dir cert: -Recurse | Where-Object { $_.Issuer -like "*Let's Encrypt*" } | select FriendlyName,Subject,NotBefore,NotAfter,PSParentPath,thumbprint
Then, remove the certificates via the certlm.msc console. Expand the Web Hosting -> Certificates section and delete the Let’s Encrypt certificates.
Step 4: Cleaning Up the WACS Client and Data
Delete the following folders:
– The WACS client directory (e.g., C:\PS\wacs).
– The C:\ProgramData\win-acme folder (containing certificate files, keys, and configurations).
Step 5: Restarting IIS
After completing all steps, restart IIS:
iisreset
Your server is now cleared of Let’s Encrypt certificates and ready to use a new CA.
