Created
February 17, 2019 04:41
-
-
Save smaglio81/754d94f398172902242a31efd267c08b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <####################### | |
| A simple starter for Lets Encrypt using Powershell and IIS Central Certificates Store | |
| Assumptions: | |
| * You have Password Safe Software with an API that is accessible from a Powershell module | |
| * You have IIS already configured with the Central Certificate Store | |
| * You use GoDaddy for DNS | |
| ########################> | |
| # 1. Install Posh-ACME (https://github.com/rmbolger/Posh-ACME) | |
| Install-Module Posh-ACME | |
| #Import-Module Posh-ACME | |
| # These are some useful commands to get started with Posh-ACME | |
| # get-command -module Posh-ACME | |
| # get-command -module Posh-ACME *cert* | |
| # 2. Setup your hostname. This host should be registered with GoDaddy. | |
| $hostname = "somesite.yourdomain.com" | |
| # 3. Create an account with ACME. | |
| $accountId = New-PAAccount -Contact [email protected] -KeyLength 4096 -AcceptTOS | |
| Set-PAAccount -ID $accountId # You should store your accountId in a password safe | |
| # 4. Import your Password Safe module | |
| Import-Module SecretServer | |
| # 5. Get GoDaddy API Keys | |
| $goDaddySecret = Get-SecretServerSecret -Filter "Posh-ACME" | |
| $pArgs = @{ | |
| GDKey = $goDaddySecret.Username | |
| GDSecret = $goDaddySecret.Password | |
| } | |
| # 6. Create a new Let's Encrypt Certificate with ownership verification using GoDaddy DNS | |
| New-PACertificate -Domain $hostname -AcceptTOS -DnsPlugin GoDaddy -PluginArgs $pArgs | |
| # 7. Retrieve the certificate | |
| $cert = Get-PACertificate -MainDomain $hostname | |
| # 8. Import the certificate into the local machines Certificate Manager | |
| # Import-PfxCertification: https://gist.github.com/smaglio81/19146391f7f94e2449e16d3318be1ef7 | |
| Import-Module CertificatesModule | |
| Import-PfxCertificate -CertPath $cert.PfxFullChain -PfxPass $cert.PfxPass | |
| # 9. Pull the certificate password used in the Central Certificate Store from the Password Safe | |
| $sharedSslSecret = Get-SecretServerSecret -Filter "Shared SSL PFX" | |
| $securedSslPassword = ConvertTo-SecureString -String $sharedSslSecret.Password -AsPlainText -Force | |
| # 10. Export the certificate to the Central Certificate Store's shared directory | |
| $sharedPfxFilePath = "D:\AllContent\SharedSSL\Local\$hostname.pfx" | |
| $certPath = "Cert:\LocalMachine\My\$($cert.Thumbprint)" | |
| Export-PfxCertificate -Cert $certPath -ChainOption BuildChain -FilePath $sharedPfxFilePath -Password $securedSslPassword -Force | |
| <# IIS ERROR - BAD DATA | |
| If the Central Certificate Store in IIS is unable to read certificates generated by Let's Encrypt the | |
| problem is most likely that the account which it runs under doesn't have access | |
| to the Let's Encrypt Authority X3 certificate in the mmc.exe's Certificate Registry. (this is middle | |
| certificate in the chain) | |
| Full Description: https://github.com/ridercz/AutoACME/issues/14 (look for Steven Maglio's response) | |
| You will need to open up mmc.exe as the user account that the Central Certificate Store run unders | |
| and import any Let's Encrypt generated certificate into the CurrentUser\My store. This will import | |
| the missing certificate and things should then work. | |
| #> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment