A PowerShell module supporting ACME v2. The module tries to provide you with all means neccessary to enable you to write a script or module which uses an ACME v2 service to create certificates.
Download the Module via Powershell-Gallery https://www.powershellgallery.com/packages/ACME-PS/
This is a list of breaking changes, that occured during ongoing development of the module
Version 1.2 now automatically includes chain certificates, if they are issued by the CA.
While this will not break most users, it is a change in behaviour and thus a breaking change for some.
Due to changes in RFC 8555 requiring POST-as-GET requests on multiple occasions, we decided to introduce a breaking change.
Most commands will now need the
State parameter to work correctly. Be aware, that this might not be compatible with non-updated
versions of ACME-Servers.
This change also means, you cannot simply call resource urls. To look into the contents of such an URL use
Invoke-ACMESignedWebRequest -Url $myResourceUrl -State $myState.
You'll find a collection of samples and descriptions here. If you find them to be not extensive enough, feel free to provide better samples or request enhancements of them via issues.
For Lets Encrypt you can obtain the chain files via https://letsencrypt.org/certificates/.
The issued certificate will most likely contain all chain files, if not excluded via
The ACME service or ACME directory is the server, which will issue certificates to you.
The account key is used to authenticate yourself to the ACME service. After registering it with the server make sure you do not lose the key. The module supports RSA and ECDSA keys with different sizes.
The account is associated with your account key. It stores informations like contact addresses on the ACME service. As long as you have the account key, you can identify yourself as the owner of the account.
An Identifier is used to describe what the certificate will be used for. It has the form
The order is the main object during certificate issuance. It has a collection of identifiers, defining all subject alternate names of the certificate. Also it contains an authroization object for each identifier as well as some links allowing you to send the actual certificate signing request and acquiring the certificate.
An authorization is associated with an identifier. It contains a collection of challenges, of which you have to satisfy one. An authorization will be valid if one challenge is successful.
A challenge provides data about what you have to do, to prove that you own the dns names you provided as identifiers via the order. The challenge needs to be completed, so the authorization is also valid and thus the order will be ready to be used for certificate issuance.
To complete the order you need to create a key for the certificate itself. This is the public and private key for your certificate. You should keep it save until the certificate is exported.
The service directory is a collection of URLs describing the endpoints of an ACME service.
The nonce is used as an anti-replay token. A nonce will be send whenever you communicate with the ACME service and the service will send back a nonce which can be used with the next request.
The state is a local storage of information neccessary to make handling of request easier.
Build the module
To create the output, which will be released to PSGallery, call :
PS> & .\build.ps1
Test the module
To run the Pester-Tests call:
PS> & .\ACME-PS\tests\A-Manual-Test-Run.ps1