Skip to main content

Using Posh-ACME for Windows to automate TLS/SSL certificate issuance and renewal   

Summary


  1. Login to your Entrust Certificate Services (ECS) portal

  1. Click Administration > Advanced Settings. On the Settings navigation pane, select Auto-Installation > ACME.

  1. Click Add External Account Binding to create the EAB.

  1. Create a Friendly Name for the EAB. In the Extended Key Usage dropdown, select the desired EKU, ex: ServerAndClientAuth, then click Next. Review the EAB Details for correctness, and when complete click Submit.

  1. Record the Key ID, MAC Key, and ACME URL values in a safe location. These will be required to configure the ACME client later. Note that the MAC Key cannot be viewed again once this window is closed.

  1. Using the ECS Console, note the Serial Number of the certificate that needs to be replaced/renewed.

  1. It is also possible to examine the current certificate on the web server by using any web browser.

  1. On the IIS Webserver, open an Elevated PowerShell. Install the Posh-ACME client with the command: Install-Module -Name Posh-ACME -Scope AllUsers

  1. When prompted, Accept the installation of the module.

  1. Set the BaseURI value for the Entrust ACME service with the command:

  2. Set-PAServer https://acme.entrust.net/acme2/directory
  3. Set values for the Key ID and MAC Key that were recorded earlier in the ECS console:

  1. $eabKID = 'K57********'

  1. $eabHMAC = 'e_1qXl*************************************'

  1. Register the new ACME account configuration with the command:

  1. New-PAAccount -ExtAcctKID $eabKID -ExtAcctHMACKey $eabHMAC -Contact '*****.*******@entrust.com' -AcceptTOS

  1. Generate  a 13 month certificate for the IIS Web Site using the command:

  1. New-PACertificate -Domain "entrustwinacme.testcertificates.com" -AcceptTOS -LifetimeDays 396 -Install

  1. The certificates can be located in the Posh-ACME directory by clicking Start > Run %LOCALAPPDATA%\Posh-ACME

  1. Double-Click the certificate and navigate to the Details tab. Note the Serial Number and Valid To attribute values.

  1. Since the -Install parameter was added when using New-PACertificate, the new certificate is already installed in the Local Computer certificate store of the IIS Webserver. The Serial Number and Valid To attribute values can also be confirmed here.

  1. In the ECS Console, the new certificate is now visible and set to a status of Active.

  1. Use the IIS Manager console to install the updated certificate into the IIS Website binding.

  1. Expand [SERVER] > Sites > [Web Site] and then click Bindings.

  1. Double-click the required HTTPS binding. In the SSL Certificate droplist, select the new certificate.

  1. Click View, and then select the Details tab of the certificate.

  1. Confirm that the new certificate is the expected Serial Number.

  1. The certificate can also be examined in a web browser that has connected to the IIS hosted website using HTTPS.