< Back
New-PACertificate
Post
NAME New-PACertificate
SYNOPSIS
Request a new certificate
SYNTAX
New-PACertificate [-Domain] <String[]> [-Contact <String[]>] [-CertKeyLength <String>] [-NewCertKey] [-AcceptTOS]
[-AccountKeyLength <String>] [-DirectoryUrl <String>] [-DnsPlugin <String[]>] [-PluginArgs <Hashtable>] [-DnsAlias
<String[]>] [-OCSPMustStaple] [-FriendlyName <String>] [-PfxPass <String>] [-Install] [-Force] [-DNSSleep <Int32>]
[-ValidationTimeout <Int32>] [<CommonParameters>]
New-PACertificate [-CSRPath] <String> [-Contact <String[]>] [-AcceptTOS] [-AccountKeyLength <String>]
[-DirectoryUrl <String>] [-DnsPlugin <String[]>] [-PluginArgs <Hashtable>] [-DnsAlias <String[]>] [-Force]
[-DNSSleep <Int32>] [-ValidationTimeout <Int32>] [<CommonParameters>]
DESCRIPTION
This is the primary function for this module and is capable executing the entire ACME certificate request process
from start to finish without any prerequisite steps. However, utilizing the module's other functions can enable
more complicated workflows and reduce the number of parameters you need to supply to this function.
PARAMETERS
-Domain <String[]>
One or more domain names to include in this order/certificate. The first one in the list will be considered
the "MainDomain" and be set as the subject of the finalized certificate.
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-CSRPath <String>
The path to a pre-made certificate request file in PEM (Base64) format. This is useful for appliances that
need to generate their own keys and cert requests.
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Contact <String[]>
One or more email addresses to associate with this certificate. These addresses will be used by the ACME
server to send certificate expiration notifications or other important account notices.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-CertKeyLength <String>
The type and size of private key to use for the certificate. For RSA keys, specify a number between 2048-4096
(divisible by 128). For ECC keys, specify either 'ec-256' or 'ec-384'. Defaults to '2048'.
Required? false
Position? named
Default value 2048
Accept pipeline input? false
Accept wildcard characters? false
-NewCertKey [<SwitchParameter>]
If specified, a new private key will be generated for the certificate. Otherwise, a new key will only be
generated if one doesn't already exist for the primary domain or the key type or length have changed from the
previous order.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AcceptTOS [<SwitchParameter>]
This switch is required when creating a new account as part of a certificate request. It implies you have read
and accepted the Terms of Service for the ACME server you are connected to. The first time you connect to an
ACME server, a link to the Terms of Service should have been displayed.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AccountKeyLength <String>
The type and size of private key to use for the account associated with this certificate. For RSA keys,
specify a number between 2048-4096 (divisible by 128). For ECC keys, specify either 'ec-256' or 'ec-384'.
Defaults to 'ec-256'.
Required? false
Position? named
Default value ec-256
Accept pipeline input? false
Accept wildcard characters? false
-DirectoryUrl <String>
Either the URL to an ACME server's "directory" endpoint or one of the supported short names. Currently
supported short names include LE_PROD (LetsEncrypt Production v2) and LE_STAGE (LetsEncrypt Staging v2).
Defaults to 'LE_PROD'.
Required? false
Position? named
Default value LE_PROD
Accept pipeline input? false
Accept wildcard characters? false
-DnsPlugin <String[]>
One or more DNS plugin names to use for this order's DNS challenges. If no plugin is specified, the "Manual"
plugin will be used. If the same plugin is used for all domains in the order, you can just specify it once.
Otherwise, you should specify as many plugin names as there are domains in the order and in the same sequence
as the order.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PluginArgs <Hashtable>
A hashtable containing the plugin arguments to use with the specified DnsPlugin list. So if a plugin has a
-MyText string and -MyNumber integer parameter, you could specify them as @{MyText='text';MyNumber=1234}.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-DnsAlias <String[]>
One or more FQDNs that DNS challenges should be published to instead of the certificate domain's zone. This is
used in advanced setups where a CNAME in the certificate domain's zone has been pre-created to point to the
alias's FQDN which makes the ACME server check the alias domain when validation challenge TXT records. If the
same alias is used for all domains in the order, you can just specify it once. Otherwise, you should specify
as many alias FQDNs as there are domains in the order and in the same sequence as the order.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-OCSPMustStaple [<SwitchParameter>]
If specified, the certificate generated for this order will have the OCSP Must-Staple flag set.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-FriendlyName <String>
Set a friendly name for the certificate. This will populate the "Friendly Name" field in the Windows
certificate store when the PFX is imported. Defaults to the first item in the Domain parameter.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PfxPass <String>
Set the export password for generated PFX files. Defaults to 'poshacme'.
Required? false
Position? named
Default value poshacme
Accept pipeline input? false
Accept wildcard characters? false
-Install [<SwitchParameter>]
If specified, the certificate generated for this order will be imported to the local computer's Personal
certificate store. Using this switch requires running the command from an elevated PowerShell session.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Force [<SwitchParameter>]
If specified, a new certificate order will always be created regardless of the status of a previous order for
the same primary domain. Otherwise, the previous order still in progress will be used instead.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-DNSSleep <Int32>
Number of seconds to wait for DNS changes to propagate before asking the ACME server to validate DNS
challenges. Default is 120.
Required? false
Position? named
Default value 120
Accept pipeline input? false
Accept wildcard characters? false
-ValidationTimeout <Int32>
Number of seconds to wait for the ACME server to validate the challenges after asking it to do so. Default is
60. If the timeout is exceeded, an error will be thrown.
Required? false
Position? named
Default value 60
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-PACertificate site1.example.com -AcceptTOS
This is the minimum parameters needed to generate a certificate for the specified site if you haven't already
setup an ACME account. It will prompt you to add the required DNS TXT record manually. Once you have an account
created, you can omit the -AcceptTOS parameter.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>New-PACertificate 'site1.example.com','site2.example.com' -Contact admin@example.com
Request a SAN certificate with multiple names and have notifications sent to the specified email address.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>New-PACertificate '*.example.com','example.com'
Request a wildcard certificate that includes the root domain as a SAN.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>$pluginArgs = @{FBServer='fb.example.com'; FBCred=(Get-Credential)}
PS C:\\>New-PACertificate site1.example.com -DnsPlugin Flurbog -PluginArgs $pluginArgs
Request a certificate using the hypothetical Flurbog DNS plugin that requires a server name and set of credentials.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>$pluginArgs = @{FBServer='fb.example.com'; FBCred=(Get-Credential)}
PS C:\\>New-PACertificate site1.example.com -DnsPlugin Flurbog -PluginArgs $pluginArgs -DnsAlias
validate.alt-example.com
This is the same as the previous example except that it's telling the Flurbog plugin to write to an alias domain.
This only works if you have already created a CNAME record for _acme-challenge.site1.example.com that points to
validate.alt-example.com.
RELATED LINKS
Project: https://github.com/rmbolger/Posh-ACME
Submit-Renewal
Get-DnsPlugins
SYNOPSIS
Request a new certificate
SYNTAX
New-PACertificate [-Domain] <String[]> [-Contact <String[]>] [-CertKeyLength <String>] [-NewCertKey] [-AcceptTOS]
[-AccountKeyLength <String>] [-DirectoryUrl <String>] [-DnsPlugin <String[]>] [-PluginArgs <Hashtable>] [-DnsAlias
<String[]>] [-OCSPMustStaple] [-FriendlyName <String>] [-PfxPass <String>] [-Install] [-Force] [-DNSSleep <Int32>]
[-ValidationTimeout <Int32>] [<CommonParameters>]
New-PACertificate [-CSRPath] <String> [-Contact <String[]>] [-AcceptTOS] [-AccountKeyLength <String>]
[-DirectoryUrl <String>] [-DnsPlugin <String[]>] [-PluginArgs <Hashtable>] [-DnsAlias <String[]>] [-Force]
[-DNSSleep <Int32>] [-ValidationTimeout <Int32>] [<CommonParameters>]
DESCRIPTION
This is the primary function for this module and is capable executing the entire ACME certificate request process
from start to finish without any prerequisite steps. However, utilizing the module's other functions can enable
more complicated workflows and reduce the number of parameters you need to supply to this function.
PARAMETERS
-Domain <String[]>
One or more domain names to include in this order/certificate. The first one in the list will be considered
the "MainDomain" and be set as the subject of the finalized certificate.
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-CSRPath <String>
The path to a pre-made certificate request file in PEM (Base64) format. This is useful for appliances that
need to generate their own keys and cert requests.
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Contact <String[]>
One or more email addresses to associate with this certificate. These addresses will be used by the ACME
server to send certificate expiration notifications or other important account notices.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-CertKeyLength <String>
The type and size of private key to use for the certificate. For RSA keys, specify a number between 2048-4096
(divisible by 128). For ECC keys, specify either 'ec-256' or 'ec-384'. Defaults to '2048'.
Required? false
Position? named
Default value 2048
Accept pipeline input? false
Accept wildcard characters? false
-NewCertKey [<SwitchParameter>]
If specified, a new private key will be generated for the certificate. Otherwise, a new key will only be
generated if one doesn't already exist for the primary domain or the key type or length have changed from the
previous order.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AcceptTOS [<SwitchParameter>]
This switch is required when creating a new account as part of a certificate request. It implies you have read
and accepted the Terms of Service for the ACME server you are connected to. The first time you connect to an
ACME server, a link to the Terms of Service should have been displayed.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AccountKeyLength <String>
The type and size of private key to use for the account associated with this certificate. For RSA keys,
specify a number between 2048-4096 (divisible by 128). For ECC keys, specify either 'ec-256' or 'ec-384'.
Defaults to 'ec-256'.
Required? false
Position? named
Default value ec-256
Accept pipeline input? false
Accept wildcard characters? false
-DirectoryUrl <String>
Either the URL to an ACME server's "directory" endpoint or one of the supported short names. Currently
supported short names include LE_PROD (LetsEncrypt Production v2) and LE_STAGE (LetsEncrypt Staging v2).
Defaults to 'LE_PROD'.
Required? false
Position? named
Default value LE_PROD
Accept pipeline input? false
Accept wildcard characters? false
-DnsPlugin <String[]>
One or more DNS plugin names to use for this order's DNS challenges. If no plugin is specified, the "Manual"
plugin will be used. If the same plugin is used for all domains in the order, you can just specify it once.
Otherwise, you should specify as many plugin names as there are domains in the order and in the same sequence
as the order.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PluginArgs <Hashtable>
A hashtable containing the plugin arguments to use with the specified DnsPlugin list. So if a plugin has a
-MyText string and -MyNumber integer parameter, you could specify them as @{MyText='text';MyNumber=1234}.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-DnsAlias <String[]>
One or more FQDNs that DNS challenges should be published to instead of the certificate domain's zone. This is
used in advanced setups where a CNAME in the certificate domain's zone has been pre-created to point to the
alias's FQDN which makes the ACME server check the alias domain when validation challenge TXT records. If the
same alias is used for all domains in the order, you can just specify it once. Otherwise, you should specify
as many alias FQDNs as there are domains in the order and in the same sequence as the order.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-OCSPMustStaple [<SwitchParameter>]
If specified, the certificate generated for this order will have the OCSP Must-Staple flag set.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-FriendlyName <String>
Set a friendly name for the certificate. This will populate the "Friendly Name" field in the Windows
certificate store when the PFX is imported. Defaults to the first item in the Domain parameter.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-PfxPass <String>
Set the export password for generated PFX files. Defaults to 'poshacme'.
Required? false
Position? named
Default value poshacme
Accept pipeline input? false
Accept wildcard characters? false
-Install [<SwitchParameter>]
If specified, the certificate generated for this order will be imported to the local computer's Personal
certificate store. Using this switch requires running the command from an elevated PowerShell session.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Force [<SwitchParameter>]
If specified, a new certificate order will always be created regardless of the status of a previous order for
the same primary domain. Otherwise, the previous order still in progress will be used instead.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-DNSSleep <Int32>
Number of seconds to wait for DNS changes to propagate before asking the ACME server to validate DNS
challenges. Default is 120.
Required? false
Position? named
Default value 120
Accept pipeline input? false
Accept wildcard characters? false
-ValidationTimeout <Int32>
Number of seconds to wait for the ACME server to validate the challenges after asking it to do so. Default is
60. If the timeout is exceeded, an error will be thrown.
Required? false
Position? named
Default value 60
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-PACertificate site1.example.com -AcceptTOS
This is the minimum parameters needed to generate a certificate for the specified site if you haven't already
setup an ACME account. It will prompt you to add the required DNS TXT record manually. Once you have an account
created, you can omit the -AcceptTOS parameter.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>New-PACertificate 'site1.example.com','site2.example.com' -Contact admin@example.com
Request a SAN certificate with multiple names and have notifications sent to the specified email address.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>New-PACertificate '*.example.com','example.com'
Request a wildcard certificate that includes the root domain as a SAN.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>$pluginArgs = @{FBServer='fb.example.com'; FBCred=(Get-Credential)}
PS C:\\>New-PACertificate site1.example.com -DnsPlugin Flurbog -PluginArgs $pluginArgs
Request a certificate using the hypothetical Flurbog DNS plugin that requires a server name and set of credentials.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>$pluginArgs = @{FBServer='fb.example.com'; FBCred=(Get-Credential)}
PS C:\\>New-PACertificate site1.example.com -DnsPlugin Flurbog -PluginArgs $pluginArgs -DnsAlias
validate.alt-example.com
This is the same as the previous example except that it's telling the Flurbog plugin to write to an alias domain.
This only works if you have already created a CNAME record for _acme-challenge.site1.example.com that points to
validate.alt-example.com.
RELATED LINKS
Project: https://github.com/rmbolger/Posh-ACME
Submit-Renewal
Get-DnsPlugins