Automatically renewing Let's Encrypt™ SSL and binding it to a web site

Let's Encrypt™ is a SSL certificate issuing authority that started around Jun 2015. It went into beta sometime around the last quarter of 2015, and I joined, getting a SSL certificate for this site.

When it was announced that Let's Encrypt only issue SSL certificates that have a lifetime of 3 months, I decided to get an application that can renew my SSL certificate automatically. This turned out to be lets-encrypt-win-simple which has since been renamed to be called "A Simple ACME Client for Windows".

Back then, I also wrote a PowerShell script which automatically binds the renewed SSL certificate. The PowerShell script follows:

# Imports a PFX with password
function Import-PfxCertificate {
param([String]$certPath,[String]$certRootStore = "CurrentUser",[String]$certStore = "My",$pfxPass = $null)
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
if ($pfxPass -eq $null) {$pfxPass = read-host "Enter the pfx password" -assecurestring}
$pfx.import($certPath,$pfxPass,“Exportable,PersistKeySet”)
$store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
}

# Imports a PFX without password
function Import-509Certificate {
param([String]$certPath,[String]$certRootStore,[String]$certStore)
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.import($certPath)
$store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
}

$dir = "C:\Users\SSLCertificateDirectory" #Path of SSL certificate directory
$filespec = "*.pfx"
# Gets the certificate where the LastWriteTime is after yesterday, and put its name into $Name
$Name = (Get-ChildItem "$dir\$filespec" | where-object LastWriteTime -gt (get-date).AddDays(-1)).Name

# Skip if $Name is empty
If ($Name -ne "") {
$PFXName=-join($dir, "\", $Name)
# Import cert into Local Computer\Personal\Certificates, not necessary to import, as it's imported by letsencrypt automatically
Import-509Certificate $PFXName "LocalMachine" "My"

$certhash=(Get-ChildItem Cert:\LocalMachine\My\ | select Subject,NotBefore,NotAfter,Thumbprint | where-object Subject -Like "*chuacw.ath.cx*" | where-object NotBefore -gt (get-date).AddDays(-1)).Thumbprint
# Write-Host $certhash

#Bind the certificate to the site... BlogName is the name of the site to bind to.
(Get-WebBinding -Name BlogName -Port 443 -Protocol "https").AddSslCertificate($certhash, "my")
}

The PowerShell script has since been reduced to:

  $certhash=(Get-ChildItem Cert:\LocalMachine\My\ | select Subject,NotBefore,NotAfter,Thumbprint | where-object {$_.Subject -Like "*chuacw.ath.cx*" -and $_.NotBefore -gt (get-date).AddDays(-1)}).Thumbprint

#Bind the certificate to the site...
(Get-WebBinding -Name BlogName -Port 443 -Protocol "https").AddSslCertificate($certhash, "my")
Published Tue, 20 Feb 2018 @ 10:10 PM by chuacw
Related articles: ,