IIS Cert Renewal Process - Posh-ACME & Posh-ACME.Deploy (powershell modules)


Step#1 Create a new Certificate Request at Digicert - https://www.digicert.com/


Step#2 Install Posh-ACME - https://poshac.me/docs/latest/ using Powershell

Posh-ACME is a Powershell Module and ACME Client used to create publicly trusted SSL/TLS certificates from an ACME capable certificate authority such as Let's Encrypt or Digicert.


Open Windows Powershell ISE and run this command to install Posh-ACME:

Install-Module -Name Posh-ACME -Scope AllUsers


Import the Posh-ACME Module by running this command:

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

Import-Module Posh-ACME


Step#3 Set the Posh ACME Server name with the command below: 

Set-PAserver -DirectoryUrl https://one.digicert.com/mpki/api/v1/acme/v2/directory


Step#4 Set the ACME Credentials created in Digicert: 

URL to request certificates : "https://one.digicert.com/mpki/api/v1/acme/v2/directory"

Key identifier (KID) : "PP3TIAlJazaXkaSKU4U88i7cArOithEAoHmyYe3tSKk"

HMAC key : "YTFmNDBhNTEyZTk5MTkxYWI0OTA4NDMxZjZlYzViYjExM2ZhZDdjOTU2Mjg3Y2MwOTBhYmU5NjYzNjkyYjM0Yg"


$eabKID = 'PP3TIAlJazaXkaSKU4U88i7cArOithEAoHmyYe3tSKk'

$eabHMAC = 'YTFmNDBhNTEyZTk5MTkxYWI0OTA4NDMxZjZlYzViYjExM2ZhZDdjOTU2Mjg3Y2MwOTBhYmU5NjYzNjkyYjM0Yg'


Step#5 Create a new Account using External Account Binding (EAB) Values provided by your ACME CA

New-PAAccount -ExtAcctKID $eabKID -extAcctHMACKey $eabHMAC -Contact '[email protected]' -AcceptTOS


Step#6 Create an API Key for Domain Validation in Godaddy 

-Login to Godaddy

  1. Sign in to your GoDaddy account on the GoDaddy API Key Management page.
  2. Select Create New API Key.
  3. Name your API key (e.g., "Certify" or "Posh-ACME") to help you identify its use later.
  4. Choose the desired Environment for the key:
    • Operational Test and Evaluation (OTE): A test environment for verifying your application before going live.
    • Production: The live environment where your key will be actively used.
  5. Select Next.
  6. Copy your API key and Secret to a secure location.
    • Important: The "Secret" will not be displayed again after you leave this page. If you lose it, you will have to generate a new secret or delete the key and create a new one.


PowerShell Command:

$pArgs = @{

    GDKey = 'xxxxxxxxxxxxxxxx'

    GDSecret = (Read-Host 'Secret' -AsSecureString)

}

New-PACertificate example.com -Plugin GoDaddy -PluginArgs $pArgs



Godaddy API Key

Name: Posh-ACME

Key: AEd8D4FCS8X_7jFdMxKuaJqoG9oPyPbDKE

Secret: DcPHVRwVhXZMmq6Di9Y5Pe


Certificate Password: CM#Power1


Step#7 Request New Certificate from the ACME Server

Powershell command:

New-PACertificate filebound.choicespine.net -Plugin GoDaddy -PluginArgs $pArgs


Step#8 Install Posh-ACME.Deploy https://github.com/rmbolger/Posh-ACME.Deploy

Powershell Command:

Install-Module -Name Posh-ACME.Deploy -Scope AllUsers


Step#9 Create Powershell Script & Save (Save file to C:\Scripts\sslcert_renewal.ps1

Set-PAOrder filebound.choicespine.net

if ($cert = Submit-Renewal) {

    $cert | Set-IISCertificate -SiteName 'Default Web Site' -RemoveOldCert

}


Step#10 Create Task Scheduler Task


Step-by-Step Instructions
  1. Open Task Scheduler: Press Win + R, type taskschd.msc, and press Enter.
  2. Create a Folder (Optional but Recommended): Right-click "Task Scheduler Library" in the left pane, select New Folder (C:\Scripts), name it, and click OK.
  3. Initiate Task Creation: Right-click the new folder (or Task Scheduler Library) and select Create Task.
  4. General Tab:
    • Enter a Name (Renew IIS Certificate) and Description (Automatically checks and renew IIS Certificate using Posh-ACME and powershell) .  
    • Select Run whether user is logged on or not to ensure it runs in the background. Run Script as FBService or admin account
    • Check Run with highest privileges if the task requires administrator rights.
  5. Triggers Tab:
    • Click New, then choose when to start the task (e.g., On a schedule, At startup).
    • Configure time settings and click OK.
  6. Actions Tab:
    • Click New, then Start a program.
    • Click Browse to select your script or executable (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
    • Add arguments if necessary (-ExecutionPolicy Bypass -File "C:\Scripts\sslcert_renewal.ps1").

  7. Conditions/Settings Tabs: Adjust as necessary (e.g., allow running on battery power, stop if it runs too long).
  8. Save Task: Click OK. You may be prompted to enter user credentials to save the task.