Just shipped a new Posh-ACME release, version 3.15.0. The big news in this release is External Account Binding (EAB) support which widens Posh-ACME’s compatibility with certificate authorities other than Let’s Encrypt. Sectigo, for example, offers paid certificates and ACME compatible endpoints. However, creating the ACME account requires linking it against an existing Sectigo account using new parameters in
New-PAAccount. These parameters are a standard part of the ACME protocol, but optional to implement by a certificate authority.
The three new parameters are
ExtAcctKID (Key ID),
ExtAcctHMACKey (Key Value),
ExtAcctAlgorithm (HMAC Algorithm). The key ID and value will always need to be provided by your certificate authority. The algorithm defaults to
HS256 which refers to HMAC using SHA-256. If the CA does not specify a specific algorithm, this one is usually assumed. Two others are also supported,
HS512. Your CA should indicate if they are needed instead of the default.
Here’s an example creating a new account against the ZeroSSL CA.
Set-PAServer 'https://acme.zerossl.com/v2/DV90' New-PAAccount -AcceptTOS -ExtAcctKID 'xxxxxxxx' -ExtAcctHMACKey 'yyyyyyyyyyyyyyyyyyyyy'
- Added new DNS plugin DomainOffensive (Thanks @Armitxes)
ExtAcctAlgorithmparameters to support Certificate Authorities that require external account binding. Look for a guide in the wiki soon.
- Added support for the new AWS.Tools modules when using Route53.
- Added support for more restricted API permissions when using OVH. It’s now possible to only grant write access to a specific list of zones or even individual TXT records. See the usage guide for details.
- Added pre-registration support for AcmeDns. See the usage guide for details.
- Fixed a bug with GoDaddy that prevented managing DNS-only hosted domains.