Ryan Bolger

Ryan Bolger

Adventures In Tech

Posh-ACME 3.16.0

Preferred Chain support and a new plugin

Ryan Bolger

Just shipped a new Posh-ACME release, version 3.16.0. The highlight of this release is Preferred Chain support which is an advanced but important feature with Let’s Encrypt’s impending root transition. When you download a certificate from an ACME server, you also get the issuing chain with that certificate. But for certificate authorities with complex issuance hierarchies, the ACME server may have multiple valid hierarchies to choose from. This new feature allows you to specify which chain to use based on the Common Name of an issuing CA in the chain.

For example, Let’s Encrypt currently offers a default chain that goes up to a 3rd party root certificate called “DST Root CA X3” from a company called IdenTrust. This was necessary when Let’s Encrypt first started because their own root called “ISRG Root X1” was not widely trusted by browsers and operating systems yet. But if you are confident the clients connecting to your service already trust the ISRG root, you may want to change that default in your environment. You can do that using the PreferredChain parameter in New-PACertificate, New-PAOrder or Set-PAOrder. Here are some examples of each:

# Create a new order with the specified chain
New-PAOrder 'example.com' -PreferredChain 'ISRG Root X1'

# Update the chain for an existing cert or order
Set-PAOrder -PreferredChain 'ISRG Root X1'

# Create a new certificate with the specified chain
New-PACertificate 'example.com' -PreferredChain 'ISRG Root X1'

Eventually Let’s Encrypt will change their implementation to offer the ISRG root as the default chain. If you know you have clients that still don’t trust it, you may want to explicitly change back to the IdenTrust root until it is no longer valid. If none of this makes sense, you likely don’t have to worry about it.

Updated versions can be found in the PowerShell Gallery or GitHub. Installation instructions are in the Readme.


  • Added new DNS plugin NameSilo (Thanks @rkone)
  • Added Preferred Chain support
    • There is a new -PreferredChain parameter on New-PACertificate, New-PAOrder, and Set-PAOrder.
    • For new or existing orders, you may select an alternate CA chain based on the Issuing CA subject name if alternate chains are offered by the CA.
    • Example: -PreferredChain 'ISRG Root X1'
  • Fixed a bug with Submit-Renewal that wasn’t properly using -PluginArgs and -NoSkipManualDns parameters when -AllOrders or -AllAccounts switches were also used (#266 #275). (Thanks @f-bader)
  • deSEC plugin has added retry logic to address API throttling issues for certs with many names (#275).
  • Fixed a bug with Azure plugin when using AZCertPfx authentication from Windows.

Recent Posts