I have previously blogged about the free publicly trusted certificate solution Let’s Encrypt, see here.
In this post, I will show how you can request a certificate with a PowerShell script and prove ownership of the domain name using DNS validation. It is perhaps more common and faster to validate ownership of domain names by publishing a challenge response via HTTP (since it can be validated immediately), but sometimes you want to request a certificate for a domain name that does not host a webserver, such as email and RDP servers.
I am using the PowerShell module ACMESharp, which is an implementation of ACME, the protocol that Let’s Encrypt is using for validation and requests.
For more information about Let’s Encrypt, take a look at their FAQ.
Pros
- Totally free
- Simple with few steps
- Publicly trusted certificate
- Since we export a PFX (including the private key), the request can be performed on any computer (not necessarily from the server that will use the certificate).
Cons
- Requires you to manually add DNS records.
- Waiting for the new DNS record to show up can take some time (due to DNS caching).
- The certificate is only valid for 3 months. There is no support for renewal in the PowerShell implementation yet, but on the other hand, it is quick, easy and free to request a new certificate for the same domain name again.
Important
- I take no responsibility for what this script does, test before running in production.
- I am not a coder, so this PowerShell-script probably breaks all of the practice rules.
- The script automatically downloads and installs nuGet (which is then used to download the PowerShell module ACMESharp) using PackageManager. PackageManager is included in PowerShell v5 but has to manually be installed as an addon if you run PowerShell v3 and v4. Find you PowerShell version running $PSVersionTable and look at the value PSVersion.
PackageManager for PowerShell v3 and v4 can be downloaded here:
http://go.microsoft.com/fwlink/?LinkID=746217&clcid=0x409
Steps
Note: The video below shows these steps.
- Run the PowerShell script in an elevated PowerShell console.
- Supply the following parameters
- ExpirationEmail
- This email will receive an email notification when the certificate is about to expire. I have never received any other email, but you can enter a bogus email address.
- PFXPassword
- The PFX file will be protected by this.
- SANList
- A comma-separated list of domains you want in the certificate. You can add as many as you want, but you will need to add a DNS record for each of them (for domain name ownership verification). Note that wildcards are not allowed right now, but that has been announced to become available in 2018.
- ExpirationEmail
- Answer any questions the script asks.
- Done! The PFX will be created in the same folder as the script.
The PFX will have the domain names as the file name. - If you need more than the PFX, look in the following folder:
%programdata%\ACMESharp\sysVault
There you will find the certificate request, the certificate in PEM/KEY format, Issuing CA certificates etc.
Certificate
This is what a certificate will look like:
Video
Here is a 4 minute video where I run the script, so you can see how it looks:
Note that I do not show adding the DNS records to the public DNS in the video since it differs depending on your DNS provider. For me it looks like this:
The script
Here is a link to the latest version of the script:
http://go.mssec.se/PStoSSL
Update!
Bitly started charging $350/year for custom domains in shortlinks. Here it the full URL that the link pointed to:
https://onedrive.live.com/?authkey=!AGxuu7wuvZ4Utmw&cid=6BAD75A56D4DD590&id=6BAD75A56D4DD590!881465&parId=6BAD75A56D4DD590!862272&o=OneUp
Any feedback and improvement suggestions are highly welcome.
Thanks for reading!
Microsoft Security Solutions 