[Jaruzel]

I totally agree with this.

I am not comfortable running a daily, task scheduler based, third party script with local admin rights, on my Windows Server, that checks my Lets Encrypt certs and auto renews them.

However, now that Chrome v56+ is revoking StartSSL.com certs, I've probably got no choice. Either that, or actually PAY for a multi-domain cert (Comodo do a fairly cheap one).

[tokenizerrr]

> third party script with local admin rights

Why? Just have it drop the certs in some directory and then reload the services. Just give the account running the script permissions to only reload services.

I assume such is possible on Windows, but I don't know for sure because I only use Linux servers. It is trivial there, so I assume you can do it on Windows as well.

[Jaruzel]

It's not unfortunately - Certs are held in the Computer partition of the Windows Credential Store, which you need elevated rights to update. It sucks, but that's how it's designed. You also need to re-associate the renewed cert (once its in the credential store) with the IIS binding as well, and then you can stop/start the website instance. Again also needing elevated rights.