Let’s Encrypt na Windows Server 2016 – PowerShell a ACMESharp #2 – skript PoC

Rychlá a nedokonalá implementace automatizace vystavování nových Let’s Encrypt certifikátů pro Web Application Proxy na Windows Serveru 2016. Samozřejmě předpokládáme již nakonfigurované prostředí (vault, ověřené domény a definované aliasy pro domény)  – např. podle http://www.jan-zak.cz/lets-encrypt-ws2016-powershell-acmesharp/  🙂

Doporučná perioda vystavování je 60 dnů, takže stačí nastavit Task Scheduler na každé dva měsíce a máme vystaráno (samozřejmě dokud se něco nezmění na straně LE).

####################################################################################################
######## This script generates new Let’s Encrypt certificate (vault has to be already configured)
######## Version 1.0 (2016-12-31), PoC only, no errors handling implmented
######## Jan Zak (www.jan-zak.cz)
####################################################################################################

### Get variables ####
$Path2Module="C:\ACME\ACMESharp\0.8.1\ACMESharp.psd1" #Load module file directly instad of "Import-Module ACMESharp"
$DomainAlias="fscloudtestcz" #Already configured alias in ACME vault
$DomainSANAlias="fscloudtestcz","appcloudtestcz","claimappcloudtestcz" #Already configured aliases in ACME vault
$CertificatePwd="Password123"
$CertificatePwdSecure=ConvertTo-SecureString -String $CertificatePwd -Force -AsPlainText
$WorkDir="C:\ACME\Certificates\"
$Date2Name=Get-Date -Format yyyyMMdd_HHmm
$CertificateAlias="fscloudtestcz_cert_" + $Date2Name
$CertificatePath=$WorkDir + $DomainAlias + "_" + $Date2Name + ".pfx"
$CAName="Let's Encrypt Authority X3" #To identify LE certificates during cean-up phase

### Create and submit request ###
Import-Module $Path2Module
New-ACMECertificate $DomainAlias -Generate -AlternativeIdentifierRefs $DomainSANAlias -Alias $CertificateAlias
Submit-ACMECertificate $CertificateAlias
Update-ACMECertificate $CertificateAlias
Get-ACMECertificate $CertificateAlias -ExportPkcs12 $CertificatePath -CertificatePassword $CertificatePwd

### Import certificate into Win Cert Store, delete expired certificates and source .pfx file
Import-PfxCertificate $CertificatePath -Password $CertificatePwdSecure -CertStoreLocation Cert:\LocalMachine\My\ -Exportable
Remove-Item $CertificatePath -Force
Get-ChildItem Cert:\LocalMachine\My |? Issuer -Like "CN=$CAName*" |? NotAfter -LT (Get-Date) |Remove-Item

### Set new certificate as active (example only!)
$NewCertThumbprint=Get-ChildItem Cert:\LocalMachine\My |? Issuer -like "CN=$CAName*" |? NotBefore -GT ((Get-Date).AddMinutes(-120)) |Select-Object Thumbprint
Set-WebApplicationProxySslCertificate -Thumbprint $NewCertThumbprint.Thumbprint #Optional, configures WebApplicationProxy with a new certificate

 

Používáme cookies. Další informace

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close