This method will allow you to automate Let’s Encrypt certificate creation/renewal with PowerShell.

Install the Posh-ACME module.

Install-Module Posh-ACME

Create a new certificate Link to heading

Set the Let’s Encrypt server to staging, to make sure everything works before changing it to the production server.

This will produce certificate files, but they will not be valid for production use. Changing it to LE_PROD will allow you to create a valid certificate (see steps further down in the guide).

You technically only need to do this the first time after you install the Posh-ACME module.

Set-PAServer -Name LE_STAGE

If your domain registrar has an API that’s supported by Posh-ACME, you can automate the DNS challenge (domain verification).

Replace the Plugin value with the correct Posh-ACME plugin/API type. This example uses the Domeneshop registrar.

# Configure certificate settings.
$domain = 'mydomain.com'
$keyLength = '2048'
$apiToken = 'InsertApiTokenHere'
$apiSecret = Read-Host 'API secret' -AsSecureString
$certPassword = Read-Host 'Create a certificate password' -AsSecureString

# Configure plugin/API settings. Parameters depend on the registrar type.
$pluginType = 'Domeneshop'
$pluginArgs = @{
    DomeneshopToken = $apiToken
    DomeneshopSecret = $apiSecret
}

# Create the certificate.
$params = @{
    Domain = $domain
    CertKeyLength = $keyLength
    Plugin = $pluginType
    PluginArgs = $pluginArgs
    PfxPassSecure = $certPassword
    AcceptTOS = $true
}
$certificate = New-PACertificate @params

If your domain registrar doesn’t have an API or if you want to manually verify the domain, use this method instead.

# Configure certificate settings.
$domain = 'mydomain.com'
$keyLength = '2048'
$certPassword = Read-Host 'Create a certificate password' -AsSecureString

# Create the certificate.
$params = @{
    Domain = $domain
    CertKeyLength = $keyLength
    PfxPassSecure = $certPassword
    AcceptTOS = $true
}
$certificate = New-PACertificate @params

Set the Let’s Encrypt server to the production server when you have tested the certificate creation. Then run the certificate creation again to generate a real certificate that will be valid for production use.

Set-PAServer -Name LE_PROD

Renew an existing certificate Link to heading

Renewing an existing certificate won’t require a DNS challenge (domain verification) because you already verified the domain when you created the certificate.

Set the Let’s Encrypt order to the domain that should be renewed.

Set-PAOrder -MainDomain 'mydomain.com'

Renew the certificate. You can add the -Force switch if you want to force-renew a certificate within its renewal interval.

Submit-Renewal -MainDomain 'mydomain.com'

List all your certificates Link to heading

Get-PACertificate -List

Certificate storage location Link to heading

After the certificate has been created/renewed, you can find the certificate files in %LOCALAPPDATA%\Posh-ACME (if you’re using Windows).