Let’s Encrypt is a pretty popular tool with a mission to generate free SSL certificates in order to create a more secure internet. The goal is to ensure that the price of SSL certificates does not stand in the way of using them. Unfortunately, when you don’t charge for a product you really have to cut down on the amount of money you spend on customer service.
Their website is a model for limited user interaction. They provide documentation, help guides, and then they point you away from their site and towards the sites of many supporting tool providers which implement their SSL generation platform. But, you will be hard pressed to find a “Contact Us” or “User Support Forum” area on letsencrypt.org. To summarize their site: Here’s how it works, here’s the client providers, read the client providers documentation please.
I don’t fully understand the ACME protocol, but to me it reads like a strict Process and API for validating requests and provisioning signed certificates. Normally there might be a handy website that will guide you through this process with step-by-step instructions but, because there are so many different types of computer systems and programming languages that can implement the ACME protocol, they leave those guides up to the implementers of the ACME clients for each of those systems.
My preference is Powershell, and I found the Posh-ACME guide gave me a good start, but didn’t help me through the final steps of installing the certificate for use with IIS. In this case, an IIS Centralized Certificate Store. So, hopefully this can help others with a start to finish script showing the end users process; instead of hunting down individual steps from different sites.
| <####################### | |
| A simple starter for Lets Encrypt using Powershell and IIS Central Certificates Store | |
| Assumptions: | |
| * You have Password Safe Software with an API that is accessible from a Powershell module | |
| * You have IIS already configured with the Central Certificate Store | |
| * You use GoDaddy for DNS | |
| ########################> | |
| # 1. Install Posh-ACME (https://github.com/rmbolger/Posh-ACME) | |
| Install-Module Posh-ACME | |
| #Import-Module Posh-ACME | |
| # These are some useful commands to get started with Posh-ACME | |
| # get-command -module Posh-ACME | |
| # get-command -module Posh-ACME *cert* | |
| # 2. Setup your hostname. This host should be registered with GoDaddy. | |
| $hostname = "somesite.yourdomain.com" | |
| # 3. Create an account with ACME. | |
| $accountId = New-PAAccount -Contact youremail@goes.here -KeyLength 4096 -AcceptTOS | |
| Set-PAAccount -ID $accountId # You should store your accountId in a password safe | |
| # 4. Import your Password Safe module | |
| Import-Module SecretServer | |
| # 5. Get GoDaddy API Keys | |
| $goDaddySecret = Get-SecretServerSecret -Filter "Posh-ACME" | |
| $pArgs = @{ | |
| GDKey = $goDaddySecret.Username | |
| GDSecret = $goDaddySecret.Password | |
| } | |
| # 6. Create a new Let's Encrypt Certificate with ownership verification using GoDaddy DNS | |
| New-PACertificate -Domain $hostname -AcceptTOS -DnsPlugin GoDaddy -PluginArgs $pArgs | |
| # 7. Retrieve the certificate | |
| $cert = Get-PACertificate -MainDomain $hostname | |
| # 8. Import the certificate into the local machines Certificate Manager | |
| # Import-PfxCertification: https://gist.github.com/smaglio81/19146391f7f94e2449e16d3318be1ef7 | |
| Import-Module CertificatesModule | |
| Import-PfxCertificate -CertPath $cert.PfxFullChain -PfxPass $cert.PfxPass | |
| # 9. Pull the certificate password used in the Central Certificate Store from the Password Safe | |
| $sharedSslSecret = Get-SecretServerSecret -Filter "Shared SSL PFX" | |
| $securedSslPassword = ConvertTo-SecureString -String $sharedSslSecret.Password -AsPlainText -Force | |
| # 10. Export the certificate to the Central Certificate Store's shared directory | |
| $sharedPfxFilePath = "D:\AllContent\SharedSSL\Local\$hostname.pfx" | |
| $certPath = "Cert:\LocalMachine\My\$($cert.Thumbprint)" | |
| Export-PfxCertificate -Cert $certPath -ChainOption BuildChain -FilePath $sharedPfxFilePath -Password $securedSslPassword -Force | |
| <# IIS ERROR - BAD DATA | |
| If the Central Certificate Store in IIS is unable to read certificates generated by Let's Encrypt the | |
| problem is most likely that the account which it runs under doesn't have access | |
| to the Let's Encrypt Authority X3 certificate in the mmc.exe's Certificate Registry. (this is middle | |
| certificate in the chain) | |
| Full Description: https://github.com/ridercz/AutoACME/issues/14 (look for Steven Maglio's response) | |
| You will need to open up mmc.exe as the user account that the Central Certificate Store run unders | |
| and import any Let's Encrypt generated certificate into the CurrentUser\My store. This will import | |
| the missing certificate and things should then work. | |
| #> |
| <# | |
| .SYNOPSIS | |
| Imports a .pfx certificate onto a server | |
| http://www.orcsweb.com/blog/james/powershell-ing-on-windows-server-how-to-import-certificates-using-powershell/ | |
| Use the given certificate information to load up and import a pfx certificate. This | |
| should be execute on the server that the certificate is going to be imported into. | |
| .PARAMETER CertPath | |
| The physical to a certificate file | |
| .PARAMETER CertRootStore | |
| [Default CurrentUser] | |
| The root certificate store to save th certificate in. The possible options are 'CurrentUser' or 'LocalMachine'. | |
| .PARAMETER CertStore | |
| [Default My] | |
| The certificate store to save the certificate in. There are alot of options. Generally this is either | |
| 'My' or 'Root'. | |
| .PARAMETER PfxPass | |
| [Defualt $null] | |
| The password needed to use a given certificate (.pfx). | |
| .EXAMPLE | |
| #> | |
| Function Import-PfxCertificate { | |
| Param( | |
| [Parameter(Mandatory = $true)] | |
| [String]$CertPath, | |
| [ValidateSet("CurrentUser","LocalMachine")] | |
| [String]$CertRootStore = "LocalMachine", | |
| [String]$CertStore = "My", | |
| $PfxPass = $null | |
| ) | |
| Process { | |
| $pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 | |
| if ($pfxPass -eq $null) {$pfxPass = read-host "Enter the pfx password" -assecurestring} | |
| $pfx.import($certPath,$pfxPass,"Exportable,PersistKeySet") | |
| $store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore) | |
| $serverName = [System.Net.Dns]::GetHostName(); | |
| Write-Warning ("Adding certificate " + $pfx.FriendlyName + " to $CertRootStore/$CertStore on $serverName. Thumbprint = " + $pfx.Thumbprint) | |
| $store.open("MaxAllowed") | |
| $store.add($pfx) | |
| $store.close() | |
| Write-Host ("Added certificate " + $pfx.FriendlyName + " to $CertRootStore/$CertStore on $serverName. Thumbprint = " + $pfx.Thumbprint) | |
| } | |
| } |
0 comments:
Post a Comment