This page serves as a very high level getting started guide on obtaining certificates for a few common scenarios. The steps below are to be used interactively, however, they can be built into a PowerShell script when automation is desired. For more information, see System Requirements and Sample Automation Scripts.

As an administrator, I need to:

• Obtain a certificate and update the SSL bindings in IIS on a single server
• Obtain a certificate containing SANs for multiple IIS servers
• Obtain a certificate and import it into the Windows certificate store
• Obtain a certificate and use the private and public key files

❓ Does this scenario apply to me?
This scenario would apply in cases where your server is running an application in IIS, and you have no other web servers in front of it acting as a proxy (for example, nginx). This is a very common scenario for applications running on Windows.

1. Log into your CertifiCat server
2. Click Accounts
3. Using the Add New Account sidebar, create a new ACME account (we recommend a Group account)
4. From the new account page, copy the External Account ID and External Account Key values - they will be used momentarily
5. Install the CertifiCat-PS module:

Install-Module CertifiCat-PS

6. Install Posh-ACME, configure a central working directory, and create a local account based on the ID and Key above:

Initialize-ACMEEnvironment -ACMEServer https://certificat.example.com/directory -PAUserID External-Account-ID-From-The-ACME-Account-Above -PAUserKey External-Account-Key-From-The-ACME-Account-Above

7. Request a new certificate and update all IIS SSL bindings with it (this will also import the certificate into LocalMachine\WebHosting store):

Initialize-NewACMECertificate -DomainList myServer.example.com -UpdateBindings -SkipDomainValidation

ℹ️ Note: The -SkipDomainValidation parameter prevents CertifiCat-PS from ensuring that you have provided valid domains in your list, based on your organizations domain names. By default, the module looks for domains matching (.)*.rit.edu, however, this can be updated - for more information, see this page.

8. Query the server to confirm that the new certificate is being presented:

Assert-SiteCertificate -hostToTest myServer.example.com -portToTest 443

Top

❓ Does this scenario apply to me?
This scenario would apply in cases where you issue a single certificate containing SANs for multiple servers in a farm, all running IIS. Note that this is not the only way to handle certificate issuance for a farm of servers.

1. Log into your CertifiCat server
2. Click Accounts
3. Using the Add New Account sidebar, create a new ACME account (we recommend a Group account)
4. From the new account pag
5. Choose which of your servers will act as the "primary" server, that is, which one will actually request the new certificate. Let's call this serverA.example.com.
6. On each of the other servers in the farm, install CertifiCat-PS:

Install-Module CertifiCat-PS

7. Still on each of the other servers in the farm, install the IIS URL Rewrite module, and create a redirect to the primary server:

Initialize-ACMEProxyRedirect -PrimaryServer serverA.example.com

8. From here on out, we'll perform actions from the main server
9. Install CertifiCat-PS:

Install-Module CertifiCat-PS

10. Install Posh-ACME, configure a central working directory, and create a local account based on the ID and Key above:

Initialize-ACMEEnvironment -ACMEServer https://certificat.example.com/directory -PAUserID External-Account-ID-From-The-ACME-Account-Above -PAUserKey External-Account-Key-From-The-ACME-Account-Above

11. Request a new certificate and update all IIS SSL bindings with it (this will also import the certificate into LocalMachine\WebHosting store):

$newCert = Initialize-NewACMECertificate -DomainList serverA.example.com, serverB.example.com, serverC.example.com, serviceLoadBalancerName.example.com -UpdateBindings -SkipDomainValidation

ℹ️ Note: The -SkipDomainValidation parameter prevents CertifiCat-PS from ensuring that you have provided valid domains in your list, based on your organizations domain names. By default, the module looks for domains matching (.)*.rit.edu, however, this can be updated - for more information, see this page.

12. Copy the newly issued certificate to the secondary servers, import it, and update the IIS bindings:

# Here $newCert is the object that we collected when we ran Step 11 to generate the new certificate

# Get the PFX file from the primary server
$newPFXFile = $newCert.PFXPath

# Extract just the directory name and convert it to a remote UNC-compatible path (e.g. c:\ -> c$\)
$newPFXDirectory = ($newPFXFile.replace(":", "$")).replace("cert.pfx", "")

# Build our list of secondary servers
$servers = "serverB.example.com", "serverC.example.com"

# Loop the list of servers, create the destination directory, copy the PFX file, and then run our function to import the file and perform the downstream functions
foreach($server in $servers){
    If(!(Test-Path \\$server\$crtDir)) { New-Item -ItemType Directory -Path "\\$server\$newPFXDirectory" | out-null }

    Copy-Item $newCert.PFXFile "\\$server\$newPFXDirectory\cert.pfx" -Force

    Invoke-Command -ComputerName $server -ScriptBlock { param($newPFXFile) Initialize-ExistingACMECertificate -PfxPath $newPFXFile -UpdateBindings } -ArgumentList $newPFXFile
}

13. Verify that the certificate presented by each server is the one that we just obtained (all thumbprints should be the same):

$servers = "serverA.example.com", "serverB.example.com", "serverC.example.com", "serviceLoadBalancerName.example.com"

"We were just issued a new certificate with thumbprint: '$($newCert.Certificate.Thumbprint)'"
foreach($server in $servers){
  $serverCheck = Assert-SiteCertificate -hostToTest $server -portToTest 443

  "Server '$server' is presenting thumbprint: '$($serverCheck.CertificateThumbprint)'"
}

Top

❓ Does this scenario apply to me?
This scenario would apply in cases where your application needs to reference a certificate in the Windows Certificate Store (for example, the LocalMachine\Personal store). This may involve specifying a thumbprint in a configuration file, or running an application-specific command to provide a new thumbprint.

1. Log into your CertifiCat server
2. Click Accounts
3. Using the Add New Account sidebar, create a new ACME account (we recommend a Group account)
4. From the new account page, copy the External Account ID and External Account Key values - they will be used momentarily
5. Install the CertifiCat-PS module:

Install-Module CertifiCat-PS

6. Install Posh-ACME, configure a central working directory, and create a local account based on the ID and Key above:

Initialize-ACMEEnvironment -ACMEServer https://certificat.example.com/directory -PAUserID External-Account-ID-From-The-ACME-Account-Above -PAUserKey External-Account-Key-From-The-ACME-Account-Above

7. Request a new certificate and import it into the LocalMachine\Personal store:

Initialize-NewACMECertificate -DomainList myServer.example.com -StoreName My -SkipDomainValidation

ℹ️ Note: The -SkipDomainValidation parameter prevents CertifiCat-PS from ensuring that you have provided valid domains in your list, based on your organizations domain names. By default, the module looks for domains matching (.)*.rit.edu, however, this can be updated - for more information, see this page.

8. Review the LocalMachine\Personal store to ensure that the new certificate is available:

((get-childitem cert:\localmachine\my).GetEnumerator() | sort-object NotBefore -Descending)[0] | select thumbprint, subject, issuer, friendlyname, notbefore, notafter

9. From here, the certificate is ready to use and perform any additional, down-stream application-specific functions, whether via PowerShell or interactively.

Top

❓ Does this scenario apply to me?
This scenario would apply in cases where your application references a certificate key file (for example, a .pfx, .key, or .cer file) for its configuration. This may involve specifying a path to the certificate files in a configuration file, or by running an application-specific command, providing a path to the certificate files.

1. Log into your CertifiCat server
2. Click Accounts
3. Using the Add New Account sidebar, create a new ACME account (we recommend a Group account)
4. From the new account page, copy the External Account ID and External Account Key values - they will be used momentarily
5. Install the CertifiCat-PS module:

Install-Module CertifiCat-PS

6. Install Posh-ACME, configure a central working directory, and create a local account based on the ID and Key above:

Initialize-ACMEEnvironment -ACMEServer https://certificat.example.com/directory -PAUserID External-Account-ID-From-The-ACME-Account-Above -PAUserKey External-Account-Key-From-The-ACME-Account-Above

7. Request a new certificate:

$newCert = Initialize-NewACMECertificate -DomainList myServer.example.com -SkipImport -SkipDomainValidation

ℹ️ Note: The -SkipDomainValidation parameter prevents CertifiCat-PS from ensuring that you have provided valid domains in your list, based on your organizations domain names. By default, the module looks for domains matching (.)*.rit.edu, however, this can be updated - for more information, see this page.

8. Change into the directory where the certificate's key material has been copied:

cd $newCert.CentralDirectory

9. From here, the certificate key material is ready to use and perform any additional, down-stream application-specific functions, whether via PowerShell or interactively.

Top