A PowerShell module and ACME client to create publicly trusted SSL/TLS certificates from an ACME capable certificate authority such as Let's Encrypt.

• Multi-domain (SAN) and wildcard (*.example.com) certificates supported
• IP Address certificates (RFC 8738) (Requires ACME CA support)
• All-in-one command for new certs, New-PACertificate
• Easy renewals with Submit-Renewal
• RSA and ECDSA keys supported for accounts and certificates
• Built-in validation plugins for DNS and HTTP based challenges. (pull requests welcome)
• Support for pre-created certificate requests (CSR)
• PEM and PFX output files
• No elevated Windows privileges required (unless using -Install switch)
• Cross platform PowerShell support. (FAQ)
• Account key rollover support
• OCSP Must-Staple support
• DNS challenge CNAME support
• Multiple ACME accounts supported per ACME CA.
• External Account Binding support for ACME CAs that require it (Guide)
• Preferred Chain support to use alternative CA trust chains (Guide)
• PowerShell SecretManagement support (Guide)

The latest release can found in the PowerShell Gallery or the GitHub releases page. Installing is easiest from the gallery using Install-Module. See Installing PowerShellGet if you run into problems with it.

# install for all users (requires elevated privs)
Install-Module -Name Posh-ACME -Scope AllUsers

# install for current user
Install-Module -Name Posh-ACME -Scope CurrentUser

NOTE: If you use PowerShell 5.1 or earlier, Install-Module may throw an error depending on your Windows and .NET version due to a change PowerShell Gallery made to their TLS settings. For more info and a workaround, see the official blog post.

Use the following PowerShell command to install the latest development version from the git main branch. This method assumes a default PSModulePath environment variable and installs to the CurrentUser scope.

iex (irm https://raw.githubusercontent.com/rmbolger/Posh-ACME/main/instdev.ps1)

You can also download the source manually from GitHub and extract the Posh-ACME folder to your desired module location.

The minimum parameters you need for a cert are the domain name and the -AcceptTOS flag. This uses the default Manual DNS plugin which requires you to manually edit your DNS server to create the TXT records required for challenge validation.

New-PACertificate example.com -AcceptTOS

NOTE: On Windows, you may need to set a less restrictive PowerShell execution policy before you can import the module.

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Import-Module Posh-ACME

Here's a more complete example with a typical wildcard cert utilizing a hypothetical FakeDNS DNS plugin that also adds a contact email address to the account for expiration notifications.

$certNames = '*.example.com','example.com'
$email = '[email protected]'
$pArgs = @{
    FDToken = (Read-Host 'FakeDNS API Token' -AsSecureString)
}
New-PACertificate $certNames -AcceptTOS -Contact $email -Plugin FakeDNS -PluginArgs $pArgs

To learn how to use a specific plugins, check out Get-PAPlugin <PluginName> -Guide. There's also a tutorial for a more in-depth guide to using the module.

The output of New-PACertificate is an object that contains various properties about the certificate you generated. Only a subset of the properties are displayed by default. To see the full list including the filesystem paths to any certificate files that were generated, pipe the original output to Format-List or use Get-PACertificate | Format-List. You can also get the path to the server's config using (Get-PAServer).Folder.

• Supports Windows PowerShell 5.1 (Desktop edition) with .NET Framework 4.7.1 or later
• Supports PowerShell 6.2 or later (Core edition) on all supported OS platforms.
• Requires FullLanguage language mode

NOTE: PowerShell 6.0-6.1 should also work, but there are known issues when using SecureString or PSCredential plugin args on non-Windows platforms.

See CHANGELOG.md