Repository files navigation

APowerShell module andACME client to create publicly trusted SSL/TLS certificates from an ACME capable certificate authority such asLet's Encrypt.

• Multi-domain (SAN) and wildcard (*.example.com) certificates supported
• IP Address certificates (RFC 8738)(Requires ACME CA support)
• All-in-one command for new certs,New-PACertificate
• Easy renewals withSubmit-Renewal
• RSA and ECDSA keys supported for accounts and certificates
• Built-in validation plugins forDNS and HTTP based challenges. (pull requests welcome)
• Support for pre-created certificate requests (CSR)
• PEM and PFX output files
• No elevated Windows privileges required(unless using-Install switch)
• Cross platform PowerShell support.(FAQ)
• Account key rollover support
• OCSP Must-Staple support
• DNS challengeCNAME support
• Multiple ACME accounts supported per ACME CA.
• External Account Binding support for ACME CAs that require it(Guide)
• Preferred Chain support to use alternative CA trust chains(Guide)
• PowerShellSecretManagement support(Guide)
• ARI (ACME Renewal Information) support based on draft 07.
• ACME Profiles support based on draft 00.

The latest release can found in thePowerShell Gallery or theGitHub releases page. Installing is easiest from the gallery usingInstall-Module.SeeInstalling PowerShellGet if you run into problems with it.

# install for all users (requires elevated privs)Install-Module-Name Posh-ACME-Scope AllUsers# install for current userInstall-Module-Name Posh-ACME-Scope CurrentUser

NOTE: If you use PowerShell 5.1 or earlier,Install-Module may throw an error depending on your Windows and .NET version due to a change PowerShell Gallery made to their TLS settings. For more info and a workaround, see theofficial blog post.

Use the following PowerShell command to install the latestdevelopment version from the gitmain branch. This method assumes a defaultPSModulePath environment variable and installs to the CurrentUser scope.

iex (irm https://raw.githubusercontent.com/rmbolger/Posh-ACME/main/instdev.ps1)

You can also download the source manually from GitHub and extract thePosh-ACME folder to your desired module location.

The minimum parameters you need for a cert are the domain name and the-AcceptTOS flag. This uses the defaultManual DNS plugin which requires you to manually edit your DNS server to create the TXT records required for challenge validation.

New-PACertificateexample.com-AcceptTOS

NOTE: On Windows, you may need to set a less restrictive PowerShell execution policy before you can import the module.

Set-ExecutionPolicy RemoteSigned-Scope CurrentUser-ForceImport-Module Posh-ACME

Here's a more complete example with a typical wildcard cert utilizing a hypotheticalFakeDNS DNS plugin that also adds a contact email address to the account for expiration notifications.

$certNames='*.example.com','example.com'$email='admin@example.com'$pArgs=@{FDToken= (Read-Host'FakeDNS API Token'-AsSecureString)}New-PACertificate$certNames-AcceptTOS-Contact$email-Plugin FakeDNS-PluginArgs$pArgs

To learn how to use a specific plugins, check outGet-PAPlugin <PluginName> -Guide. There's also atutorial for a more in-depth guide to using the module.

The output ofNew-PACertificate is an object that contains various properties about the certificate you generated. Only a subset of the properties are displayed by default. To see the full list including the filesystem paths to any certificate files that were generated, pipe the original output toFormat-List or useGet-PACertificate | Format-List. You can also get the path to the server's config using(Get-PAServer).Folder.

• Supports Windows PowerShell 5.1 (Desktop edition)with .NET Framework 4.7.1 or later
• Supports PowerShell 6.2 or later (Core edition) on all supported OS platforms.
• RequiresFullLanguagelanguage mode

NOTE: PowerShell 6.0-6.1 should also work, but there are known issues when usingSecureString orPSCredential plugin args on non-Windows platforms.

SeeCHANGELOG.md