Lets Encrypt With PowerShell

Let’s Encrypt is a service which provides free SSL certificates. The certificates are not provided through a website, and no CSR is required, instead, it is either integrated into your hosting platform/provider (ie, cPanel), or they can be manually obtained through the CLI.

One final catch is that the certificates expire after only 90 days, but there are many ways to automate re-generation.

While most of the tools are made for Linux, there are PowerShell modules which allow a valid and trusted certificate to be generated.

Here we will demonstrate use of the Posh-ACME module to obtain a certificate. There is a fantastic tutorial here, but I wanted to record a summarised version for my own use.

Install the PowerShell Module

Install-Module -Name Posh-ACME

Request a certificate

PS C:\> New-PACertificate "mail.domain.com","autodiscover.domain.com" -AcceptTOS -Contact your@email.com -DnsPlugin Manual
WARNING: Fewer DnsPlugin values than Domain values supplied. Using Manual for the rest.

Please create the following TXT records:
------------------------------------------
_acme-challenge.autodiscover.domain.com -> el8NXSkcHMXetzchyl7pOlMA3Ub2uKkEtRhv8CYf9ZA
_acme-challenge.remote.domain.com -> Xo1GbX1hN9YYR2rBZ-1vKmQ07zD6vbUuTyXguQwLM9E
------------------------------------------

Press any key to continue.:

There are some brief things to discuss here. We can specify multiple domains to generate a multi-SAN certificate (sometimes called a Unified Communications certificate).

We could have also requested a wildcard certificate with “*.domain.com”.

The -Contact parameter is optional. Providing this allows Let’s Encrypt to send you an email to advise if a certificate is close to expiring. Multiple email addresses can be provided.

The -DNSPlugin parameter specifies that we will manually update DNS records to prove domain ownership. There are modules for various providers which can automate this process.

Once the TXT records have been created, we can proceed. A 2 minute countdown timer will begin to allow for DNS propagation, and the TXT records will then be validated. If all is ok, the certificate will be generated.

Please remove the following TXT records:
------------------------------------------
_acme-challenge.autodiscover.domain.com -> el8NXSkcHMXetzchyl7pOlMA3Ub2uKkEtRhv8CYf9ZA
_acme-challenge.remote.domain.com -> Xo1GbX1hN9YYR2rBZ-1vKmQ07zD6vbUuTyXguQwLM9E
------------------------------------------


Subject                 NotAfter              KeyLength Thumbprint                               AllSANs
-------                 --------              --------- ----------                               -------
CN=remote.domain.com 13/01/2019 6:24:53 PM 2048      50550D960EA54CCE61A7DB6EE6011B63E0F0E91A {remote.domain.com,autodiscover.domain.com}

We can then remove the TXT records to keep DNS clean.

Lastly, we need to see where our certificates have been saved. This is done with the Get-PACertificate command.

PS H:\> Get-PACertificate | fl

Subject       : CN=remote.domain.com
NotBefore     : 15/10/2018 6:24:53 PM
NotAfter      : 13/01/2019 6:24:53 PM
KeyLength     : 2048
Thumbprint    : 50550D960EA54CCE61A7DB6EE6011B63E0F0E91A
AllSANs       : {remote.domain.com, autodiscover.domain.com}
CertFile      : C:\Users\username\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\43870910\remote.domain.com\cert.cer
KeyFile       : C:\Users\username\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\43870910\remote.domain.com\cert.key
ChainFile     : C:\Users\username\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\43870910\remote.domain.com\chain.cer
FullChainFile : C:\Users\username\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\43870910\remote.domain.com\fullchain.cer
PfxFile       : C:\Users\username\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\43870910\remote.domain.com\cert.pfx
PfxFullChain  : C:\Users\username\AppData\Local\Posh-ACME\acme-v02.api.letsencrypt.org\43870910\remote.domain.com\fullchain.pfx
PfxPass       : System.Security.SecureString

When importing the certificate into the cert store, you’ll want to import the cert.pfx, which will have a password of poshacme.

There we have it, too easy!