Just shipped a new Posh-ACME release, version 3.15.0. The big news in this release is External Account Binding (EAB) support which widens Posh-ACME’s compatibility with certificate authorities other than Let’s Encrypt. Sectigo, for example, offers paid certificates and ACME compatible endpoints. However, creating the ACME account requires linking it against an existing Sectigo account using new parameters in New-PAAccount. These parameters are a standard part of the ACME protocol, but optional to implement by a certificate authority.

The three new parameters are ExtAcctKID (Key ID), ExtAcctHMACKey (Key Value), ExtAcctAlgorithm (HMAC Algorithm). The key ID and value will always need to be provided by your certificate authority. The algorithm defaults to HS256 which refers to HMAC using SHA-256. If the CA does not specify a specific algorithm, this one is usually assumed. Two others are also supported, HS384 and HS512. Your CA should indicate if they are needed instead of the default.

Here’s an example creating a new account against the ZeroSSL CA.

Set-PAServer 'https://acme.zerossl.com/v2/DV90'

New-PAAccount -AcceptTOS -ExtAcctKID 'xxxxxxxx' -ExtAcctHMACKey 'yyyyyyyyyyyyyyyyyyyyy'

Updated versions can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme.

Changelog

• Added new DNS plugin DomainOffensive (Thanks @Armitxes)
• New-PAAccount now has ExtAcctKID, ExtAcctHMACKey, and ExtAcctAlgorithm parameters to support Certificate Authorities that require external account binding. Look for a guide in the wiki soon.
• Added support for the new AWS.Tools modules when using Route53.
• Added support for more restricted API permissions when using OVH. It’s now possible to only grant write access to a specific list of zones or even individual TXT records. See the usage guide for details.
• Added pre-registration support for AcmeDns. See the usage guide for details.
• Fixed a bug with GoDaddy that prevented managing DNS-only hosted domains.