More info: https://cultiv.nl/blog/lets-encrypt-on-windows/

LetsEncrypt.ps1

#FYI - this is where the vault is created:
#Running as Admin: C:\ProgramData\ACMESharp\sysVault
#Running as User:  C:\Users\NAME\AppData\Local\ACMESharp\userVault
Import-Module ACMESharp
$domain = "DOMAINNAME"
$email = "CONTACTEMAIL"
$certOutput = "C:\CertOutput\{0}\{1}" -f $domain, [guid]::NewGuid()
mkdir $certOutput
cd $certOutput

Initialize-ACMEVault
New-ACMERegistration -Contacts mailto:$email -AcceptTos
New-ACMEIdentifier -Dns $domain -Alias dns1

$completedChallenge = Complete-ACMEChallenge dns1 -ChallengeType dns-01 -Handler manual
Write-Host "Press ENTER when this is done oi."
Read-Host
$challenge = Submit-ACMEChallenge dns1 -ChallengeType dns-01

While ($challenge.Status -eq "pending") {
    Start-Sleep -m 500 # wait half a second before trying
    Write-Host "Status is still 'pending', waiting for it to change..."
    #To check status of Challenge: 
    #(Update-ACMEIdentifier dns1 -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}
    $challenge = Update-ACMEIdentifier dns1
}

If($challenge.Status -eq "valid") {
    New-ACMECertificate dns1 -Generate -Alias cert1
    # NOTE: If you have existing keys you can use them as well, this is good to do if you want to use HPKP
    # New-ACMECertificate -Identifier dns1 -Alias cert1 -KeyPemFile path\to\key.pem -CsrPemFile path\to\csr.pem
    $certificateInfo = Submit-ACMECertificate cert1

    While([string]::IsNullOrEmpty($certificateInfo.IssuerSerialNumber)) {
        Start-Sleep -m 500 # wait half a second before trying
        Write-Host "IssuerSerialNumber is not set yet, waiting for it to be populated..."
        $certificateInfo = Update-ACMECertificate cert1
    }

    Get-ACMECertificate cert1 -ExportPkcs12 $certOutput\cert1-all.pfx

    Write-Host "All done, there's a cert1-all.pfx file in $certOutput."
} Else {
    $message = "Status is '{0}', can't continue as it is not 'valid'." -f $challenge.Status
    Write-Host $message
}