Summary
-
Login to your Entrust Certificate Services (ECS) portal
-
Click Administration > Advanced Settings. On the Settings navigation pane, select Auto-Installation > ACME.
-
Click Add External Account Binding to create the EAB.
-
Create a Friendly Name for the EAB. In the Extended Key Usage dropdown, select the desired EKU, ex: ServerAndClientAuth, then click Next. Review the EAB Details for correctness, and when complete click Submit.
-
Record the Key ID, MAC Key, and ACME URL values in a safe location. These will be required to configure the ACME client later. Note that the MAC Key cannot be viewed again once this window is closed.
-
Using the ECS Console, note the Serial Number of the certificate that needs to be replaced/renewed.
-
It is also possible to examine the current certificate on the web server by using any web browser.
-
On the IIS Webserver, open an Elevated PowerShell. Install the Posh-ACME client with the command: Install-Module -Name Posh-ACME -Scope AllUsers
-
When prompted, Accept the installation of the module.
-
Set the BaseURI value for the Entrust ACME service with the command:
- Set-PAServer https://acme.entrust.net/acme2/directory
-
Set values for the Key ID and MAC Key that were recorded earlier in the ECS console:
-
$eabKID = 'K57********'
-
$eabHMAC = 'e_1qXl*************************************'
-
Register the new ACME account configuration with the command:
-
New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact '*****.*******@entrust.com' -AcceptTOS
-
Generate a 13 month certificate for the IIS Web Site using the command:
-
New-PACertificate -Domain "entrustwinacme.testcertificates.com" -AcceptTOS -LifetimeDays 396 -Install
-
The certificates can be located in the Posh-ACME directory by clicking Start > Run %LOCALAPPDATA%\Posh-ACME
-
Double-Click the certificate and navigate to the Details tab. Note the Serial Number and Valid To attribute values.
-
Since the -Install parameter was added when using New-PACertificate, the new certificate is already installed in the Local Computer certificate store of the IIS Webserver. The Serial Number and Valid To attribute values can also be confirmed here.
-
In the ECS Console, the new certificate is now visible and set to a status of Active.
-
Use the IIS Manager console to install the updated certificate into the IIS Website binding.
-
Expand [SERVER] > Sites > [Web Site] and then click Bindings.
-
Double-click the required HTTPS binding. In the SSL Certificate droplist, select the new certificate.
-
Click View, and then select the Details tab of the certificate.
-
Confirm that the new certificate is the expected Serial Number.
-
The certificate can also be examined in a web browser that has connected to the IIS hosted website using HTTPS.