Ryan Bolger

Ryan Bolger

Adventures In Tech

Posh-ACME.Deploy 1.0.0

Cert deployment functions for Posh-ACME

Ryan Bolger

Just shipped a new module called Posh-ACME.Deploy. It’s an optional companion module for Posh-ACME that provides a set of functions to make it easier to deploy the certificates you create.

Deploying certificates is never as simple as you want it to be particularly on Windows. Some apps want PEM files in a folder referenced in a config file. Others reference them from the registry. Some need the certificates in a Windows certificate store, but they might be configured based on thumbprint via WMI. It’s kind of a mess and you have to go hunting in the app’s documentation to know exactly how they want things done. It’s also one of the reasons I purposefully did not include deployment functionality in the main Posh-ACME module.

Quick Start

An IIS website tends to be the most common certificate target for this module. We’ll assume you have already created a cert using Posh-ACME and want to deploy it to the default site in IIS and bound to all IPs and port 443 with no host header or SNI requirement. (SNI and host headers for TLS require IIS 8.0+)

First, make sure your PowerShell session is running as admin. For the initial deployment, you can do something like this which will import the cert into the LocalMachine\My certificate store and add/update the site’s https binding with the selected certificate. The -Verbose flag is optional but can be a nice way to see what’s happening. If you need to customize the binding parameters, check the function’s help with Get-Help Set-IISCertificate.

Set-PAOrder example.com
Get-PACertificate | Set-IISCertificate -SiteName 'Default Web Site' -Verbose

Your Posh-ACME renewal script might look something like this.

Set-PAOrder example.com
if ($cert = Submit-Renewal) {
    $cert | Set-IISCertificate -SiteName 'Default Web Site' -RemoveOldCert

Submit-Renewal only returns a certificate object when it successfully renews the certificate. So you generally run it 1-2 times per day and it doesn’t do anything until the renewal window has been reached. The -RemoveOldCert parameter will delete the previous certificate from the Windows certificate store after it successfully imports and configures the new one.

The rest of the functions in this module work very similarly. Check the associated parameters using Get-Help <function> for details. If you forget which functions are available, you can list them with Get-Command -Module Posh-ACME.Deploy.

The module can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme.


  • Initial Release
  • Added functions
    • Set-IISCertificate
    • Set-RDGWCertificate
    • Set-RDSHCertificate
    • Set-WinRMCertificate

Recent Posts