Script to pull down wildcard and new root certs

We're using POSH-ACME to get new 90 day certs which is working great but for some reason it's not pulling in an updated root and intermediate cert. The powershell command i'm running to get my certs is:

Import-Module Posh-ACME
Submit-Renewal -AllAccounts -Force

But when I look at the cert the only thing that is updating is our wildcard, the others show expiration 9/29. Is there a procedure someone can point me to for help in getting the newer certs?

Thank you

Is the reason you're using the -AllAccounts flag because you actually have multiple accounts configured? What does the output of Get-PAAccount -List look like?

Where are you looking at the cert? In PowerShell? On the filesystem? In the Windows cert store? Posh-ACME doesn't install new certs to the Windows cert store by default unless the order has been configured to do so. It also won't work if you're not running the renewal process as admin.


The use of Force is rarely a good, or required, thing.

1 Like

This is probably the Windows R3 problem, run certlm.msc, browse to Intermediate Certificate Authorities > Certificates, find the R3 issued by DST Root CA X3, right click > properties. Check 'Disable all purposes for this certificate'. The old/expiring R3 will no longer be served by your chain (a reboot may be required to make it happen in some cases).

1 Like

Actually, in testing my above advice (which is second-hand from somewhere else) I'm still seeing the wrong chain even after disabling the cert purposes and rebooting. Just delete it (and reboot) instead.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.