Posh-ACME 3.16.0
Preferred Chain support and a new plugin
Just shipped a new Posh-ACME release, version 3.16.0. The highlight of this release is Preferred Chain support which is an advanced but important feature with Let’s Encrypt’s impending root transition. When you download a certificate from an ACME server, you also get the issuing chain with that certificate. But for certificate authorities with complex issuance hierarchies, the ACME server may have multiple valid hierarchies to choose from. This new feature allows you to specify which chain to use based on the Common Name of an issuing CA in the chain.
For example, Let’s Encrypt currently offers a default chain that goes up to a 3rd party root certificate called “DST Root CA X3” from a company called IdenTrust. This was necessary when Let’s Encrypt first started because their own root called “ISRG Root X1” was not widely trusted by browsers and operating systems yet. But if you are confident the clients connecting to your service already trust the ISRG root, you may want to change that default in your environment. You can do that using the PreferredChain
parameter in New-PACertificate
, New-PAOrder
or Set-PAOrder
. Here are some examples of each:
# Create a new order with the specified chain
New-PAOrder 'example.com' -PreferredChain 'ISRG Root X1'
# Update the chain for an existing cert or order
Set-PAOrder -PreferredChain 'ISRG Root X1'
# Create a new certificate with the specified chain
New-PACertificate 'example.com' -PreferredChain 'ISRG Root X1'
Eventually Let’s Encrypt will change their implementation to offer the ISRG root as the default chain. If you know you have clients that still don’t trust it, you may want to explicitly change back to the IdenTrust root until it is no longer valid. If none of this makes sense, you likely don’t have to worry about it.
Updated versions can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme.
Changelog
- Added new DNS plugin NameSilo (Thanks @rkone)
- Added Preferred Chain support
- There is a new
-PreferredChain
parameter onNew-PACertificate
,New-PAOrder
, andSet-PAOrder
. - For new or existing orders, you may select an alternate CA chain based on the Issuing CA subject name if alternate chains are offered by the CA.
- Example:
-PreferredChain 'ISRG Root X1'
- There is a new
- Fixed a bug with
Submit-Renewal
that wasn’t properly using-PluginArgs
and-NoSkipManualDns
parameters when-AllOrders
or-AllAccounts
switches were also used (#266 #275). (Thanks @f-bader) - deSEC plugin has added retry logic to address API throttling issues for certs with many names (#275).
- Fixed a bug with Azure plugin when using
AZCertPfx
authentication from Windows.