RSA and ECC private keys supported for accounts and certificates
DNS challenge plugins for various DNS servers and providers (PRs welcome)
DNS challenge CNAME support
Help system for DNS plugins using Get-DnsPlugins and Get-DnsPluginHelp
DNS plugins support batch updates
Multiple accounts supported per user profile which allows different certs to have different contact emails
PEM and PFX output files
No elevated Windows privileges required
Features lacking at the moment:
Extensive list of DNS plugins (this is my highest priority now that it’s released, particularly acme-dns)
Pre/Post hooks to aid with certificate deployment and automation
HTTP challenge support
Account key rollover
PowerShell Core support
During development, I was particularly inspired by acme.sh which is a fantastic client for non-Windows platforms. I wanted the same feeling but on Windows and none of the existing Windows native clients I found really fit the bill. Even fewer supported ACMEv2 with wildcards.
There’s a Quick Start in the project readme. There’s also a much more in-depth tutorial.
Thanks for this, the simplest easiest to use ACME powershell client. I’ve migrated my automation to this from ACMESharp (as I’m still waiting for v2 support). The native integration with AWS/R53 was also a great win
Looking forward to seeing usable output / hooks for easier use in automation!
Glad you like it. The automation hooks are the next thing I’d love to get working. But I’m still trying to figure out how it should work. I’d love any input you have.
For instance, would output’ing some sort of certificate object with details like the thumbprint, paths to files, etc. be good enough? Or do you think people would like a more formal deployment plugin system like the DnsPlugins such that you’d need to add additional parameters to the call to New-PACertificate.
I actually like the idea of writing cert details to the pipeline on new issuance and renewal and that should be pretty easy to implement as well. I was also thinking of adding a switch like -Install that would optionally add the resulting cert to the computer’s cert store (which obviously necessitates running as admin).
But I also feel like there should be an easier way to do what I think would be common tasks with the resulting cert such as associating it with an IIS site, RDP or RD Gateway services, Exchange endpoints, etc. But a lot of those workflows get complicated pretty quickly. So it’s hard to imagine what a formal plugin-like system would look like.
Perhaps canned workflows like that would make more sense in a separate module or collection of scripts intended to be used with the cert detail output from Posh-ACME?
Posh-ACME 2.1 is now released. From the changelog:
Added account key rollover support. Use -KeyRollover switch in Set-PAAccount.
Added PfxPass (SecureString) to Get-PACertificate output
Added new DNS plugins
DMEasy (DNS Made Easy)
GoDaddy. Thanks @Rukas!
All calls to Invoke-WebRequest and Invoke-RestMethod now use -UseBasicParsing to avoid issues with PowerShell using Internet Explorer’s DOM parser. Thanks @Rukas!
Fixed hard coded cert store paths in Import-PfxCertInternal
You’re quite welcome. I’m also working on a companion module to make deploying the certs easier. It’s not quite ready for prime time yet. But you can test the dev version if you’d like. The included functions are intended for piping from the output of New-PACertificate, Get-PACertificate, and Submit-Renewal.
I also recently solved one of the initial problems I was having with PowerShell Core support in the main module and have started working on making that go as well.
Great work. I’ve so far been unable to get GoDaddy to recognize the TXT entries for a cert verification, but I’ve gotten it to work with others (like DNSSimple.)
The GoDaddy plugin was contributed by another user so I couldn't fully test it myself. But if you have time, create an issue on the GitHub project and we can try to work through it. Might be able to pull in the original plugin author there as well.