Create a new or update an existing Let's Encrypt certificate for one or more domains and add it to a store then update the SSL bindings for a ADC
GenLeCertForNS.ps1 [-CleanPoshACMEStorage] -ManagementURL <String> [-Username <String>] [-Password <Object>]
[-Credential <PSCredential>] -CN <String> [-SAN <String[]>] [-FriendlyName <String>]
[-ValidationMethod <String>] [-CertKeyNameToUpdate <String>] [-RemovePrevious] -CertDir <String>
[-PfxPassword <Object>] -EmailAddress <String> [-KeyLength <Int32>] [-Production] [-DisableLogging]
[-LogFile <String>] [-LogLevel <String>] [-SaveADCConfig] [-SendMail] [-SMTPTo <String[]>]
[-SMTPFrom <String>] [-SMTPCredential <PSCredential>] [-SMTPServer <String>] [-LogAsAttachment]
[-DisableIPCheck] [-IPv6] [-UpdateIIS] [-IISSiteToUpdate <String>] -CsVipName <String[]> [-CspName <String>]
[-CsVipBinding <String>] [-SvcName <String>] [-SvcDestination <String>] [-LbName <String>] [-RspName <String>]
[-RsaName <String>] [-ConfigFile <String>] [-ForceCertRenew] [-NoConsoleOutput] [<CommonParameters>]GenLeCertForNS.ps1 [-Help] [-NoConsoleOutput] [<CommonParameters>]GenLeCertForNS.ps1 [-CleanADC] -ManagementURL <String> [-Username <String>] [-Password <Object>]
[-Credential <PSCredential>] [-DisableLogging] [-LogFile <String>] [-LogLevel <String>] [-SaveADCConfig]
[-CsVipName <String[]>] [-CspName <String>] [-CsVipBinding <String>] [-SvcName <String>]
[-SvcDestination <String>] [-LbName <String>] [-RspName <String>] [-RsaName <String>] [-NoConsoleOutput]
[<CommonParameters>]GenLeCertForNS.ps1 [-RemoveTestCertificates] [-CleanPoshACMEStorage] -ManagementURL <String>
[-Username <String>] [-Password <Object>] [-Credential <PSCredential>] [-DisableLogging] [-LogFile <String>]
[-LogLevel <String>] [-NoConsoleOutput] [<CommonParameters>]GenLeCertForNS.ps1 -ManagementURL <String> [-Username <String>] [-Password <Object>]
[-Credential <PSCredential>] [-LogFile <String>] [-LogLevel <String>] [-SaveADCConfig] [-CsVipName <String[]>]
[-CspName <String>] [-SvcName <String>] [-LbName <String>] [-RspName <String>] [-RsaName <String>]
[-CreateUserPermissions] [-NSCPName <String>] [-CreateApiUser] -ApiUsername <String> -ApiPassword <Object>
[-NoConsoleOutput] [<CommonParameters>]GenLeCertForNS.ps1 -ManagementURL <String> [-Username <String>] [-Password <Object>]
[-Credential <PSCredential>] [-LogFile <String>] [-LogLevel <String>] [-SaveADCConfig] -CsVipName <String[]>
[-CspName <String>] [-SvcName <String>] [-LbName <String>] [-RspName <String>] [-RsaName <String>]
[-CreateUserPermissions] [-NSCPName <String>] [-NoConsoleOutput] [<CommonParameters>]GenLeCertForNS.ps1 [-Production] -ConfigFile <String> [-AutoRun] [-ForceCertRenew] [-NoConsoleOutput]
[<CommonParameters>]The script will utilize Posh-ACME to create a new or update an existing certificate for one or more domains. If generated successfully the script will add the certificate to the ADC and update the SSL binding for a web site. This script is for use with a Citrix ADC (v11.x and up). The script will validate the dns records provided. For example, the domain(s) listed must be configured with the same IP Address that is configured (via NAT) to a Content Switch. Or Use DNS verification if a WildCard domain was specified.
.\GenLeCertForNS.ps1 -CreateUserPermissions -CreateApiUser -CsVipName "CSVIPNAME" -ApiUsername "le-user" -ApiPassword "LEP@ssw0rd" -CPName "MinLePermissionGroup" -Username nsroot -Password "nsroot" -ManagementURL https://citrixadc.domain.localThis command will create a Command Policy with the minimum set of permissions, you need to run this once to create (or when you want to change something). Be sure to run the script next with the same parameters as specified when running this command, the same for -SvcName (Default "svc_letsencrypt_cert_dummy"), -LbName (Default: "lb_letsencrypt_cert"), -RspName (Default: "rsp_letsencrypt"), -RsaName (Default: "rsa_letsencrypt"), -CspName (Default: "csp_NSCertCsp") Next time you want to generate certificates you can specify the new user -Username le-user -Password "LEP@ssw0rd"
.\GenLeCertForNS.ps1 -CN "domain.com" -EmailAddress "[email protected]" -SAN "sts.domain.com","www.domain.com","vpn.domain.com" -PfxPassword "P@ssw0rd" -CertDir "C:\Certificates" -ManagementURL "http://192.168.100.1" -CsVipName "cs_domain.com_http" -Password "P@ssw0rd" -Username "nsroot" -CertKeyNameToUpdate "san_domain_com" -LogLevel Debug -ProductionGenerate a (Production) certificate for hostname "domain.com" with alternate names : "sts.domain.com, www.domain.com, vpn.domain.com". Using the email address "[email protected]". At the end storing the certificates in "C:\Certificates" and uploading them to the ADC. The Content Switch "cs_domain.com_http" will be used to validate the certificates.
.\GenLeCertForNS.ps1 -CN "domain.com" -EmailAddress "[email protected]" -SAN "*.domain.com","*.test.domain.com" -PfxPassword "P@ssw0rd" -CertDir "C:\Certificates" -ManagementURL "http://192.168.100.1" -Password "P@ssw0rd" -Username "nsroot" -CertKeyNameToUpdate "san_domain_com" -LogLevel Debug -ProductionGenerate a (Production) Wildcard () certificate for hostname "domain.com" with alternate names : ".domain.com, *.test.domain.com. Using the email address "[email protected]". At the end storing the certificates in "C:\Certificates" and uploading them to the ADC. NOTE: Only a DNS verification is possible when using WildCards!
.\GenLeCertForNS.ps1 -CleanADC -ManagementURL "http://192.168.100.1" -CsVipName "cs_domain.com_http" -Password "P@ssw0rd" -Username "nsroot"Cleaning left over configuration from this script when something went wrong during a previous attempt to generate new certificates.
.\GenLeCertForNS.ps1 -RemoveTestCertificates -ManagementURL "http://192.168.100.1" -Password "P@ssw0rd" -Username "nsroot"Removing ALL the test certificates from your ADC.
.\GenLeCertForNS.ps1 -AutoRun -ConfigFile ".\GenLe-Config.json"Running the script with previously saved parameters. To create a test certificate. NOTE: you can create the json file by specifying the -ConfigFile ".\GenLe-Config.json" parameter with your previous parameters
.\GenLeCertForNS.ps1 -AutoRun -ConfigFile ".\GenLe-Config.json" -ProductionRunning the script with previously saved parameters. To create a Production (trusted) certificate NOTE: you can create the json file by specifying the -ConfigFile ".\GenLe-Config.json" parameter with your previous parameters
.\GenLeCertForNS.ps1 -CreateUserPermissions -NSCPName script-GenLeCertForNS -CreateApiUser -ApiUsername GenLEUser -ApiPassword P@ssw0rd! -ManagementURL https://citrixadc.domain.local -Username nsroot -Password nsr00t! -CsVipName cs_domain2.com_http,cs_domain2.com_http,cs_domain3.com_httpCreate a Group (Command Policy) with limited user permissions required to run the script and a user that will be member of that group. With all VIPs that can be used by the script.
Display the detailed information about this script
Type: SwitchParameter
Parameter Sets: Help
Aliases: h
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseClean-up the ADC configuration made within this script, for when somewhere it gone wrong
Type: SwitchParameter
Parameter Sets: CleanADC
Aliases: CleanNS
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseRemove all the Test/Staging certificates signed by the "Fake LE Intermediate X1" staging intermediate
Type: SwitchParameter
Parameter Sets: CleanTestCertificate
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseForce cleanup of the Posh-Acme certificates located in "%LOCALAPPDATA%\Posh-ACME"
Type: SwitchParameter
Parameter Sets: LECertificates, CleanTestCertificate
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseManagement URL, used to connect to the ADC
Type: String
Parameter Sets: LECertificates, CleanADC, CleanTestCertificate, CommandPolicyUser, CommandPolicy
Aliases: URL, NSManagementURL
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseADC Username with enough access to configure it
Type: String
Parameter Sets: LECertificates, CleanADC, CleanTestCertificate, CommandPolicyUser, CommandPolicy
Aliases: User, NSUsername, ADCUsername
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseADC Username password
Type: Object
Parameter Sets: LECertificates, CleanADC, CleanTestCertificate, CommandPolicyUser, CommandPolicy
Aliases: NSPassword, ADCPassword
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseUse a PSCredential object instead of a Username or password. Use "Get-Credential" to generate a credential object C:\PS> $Credential = Get-Credential
Type: PSCredential
Parameter Sets: LECertificates, CleanADC, CleanTestCertificate, CommandPolicyUser, CommandPolicy
Aliases: NSCredential, ADCCredential
Required: False
Position: Named
Default value: [System.Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False(Common Name) The Primary (first) dns record for the certificate Example: "domain.com"
Type: String
Parameter Sets: LECertificates
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False(Subject Alternate Name) every following domain listed in this certificate. separated via an comma , and between quotes "". Example: "sts.domain.com","www.domain.com","vpn.domain.com" Example Wildcard: ".domain.com",".pub.domain.com" NOTE: Only a DNS verification is possible when using WildCards!
Type: String[]
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: @()
Accept pipeline input: False
Accept wildcard characters: FalseThe display name of the certificate, if not specified the CN will used. You can specify an empty value if required. Example (Empty display name) : "" Example (Set your own name) : "Custom Name"
Type: String
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False{{ Fill ValidationMethod Description }}
Type: String
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: Http
Accept pipeline input: False
Accept wildcard characters: FalseADC SSL Certkey name currently in use, that needs to be renewed
Type: String
Parameter Sets: LECertificates
Aliases: NSCertNameToUpdate
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseIf the new certificate was updated successfully, remove the previous files. This parameter works only if -CertKeyNameToUpdate was specified and previous files are found. Else this setting will be ignored!
Type: SwitchParameter
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseDirectory where to store the certificates
Type: String
Parameter Sets: LECertificates
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSpecify a password for the PFX certificate, if not specified a new password is generated at the end
Type: Object
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThe email address used to request the certificates and receive a notification when the certificates (almost) expires
Type: String
Parameter Sets: LECertificates
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSpecify the KeyLength of the new to be generated certificate Default: 2048
Type: Int32
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: 2048
Accept pipeline input: False
Accept wildcard characters: FalseUse the production Let's encrypt server, without this parameter the staging (test) server will be used
Type: SwitchParameter
Parameter Sets: LECertificates, AutoRun
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseTurn off logging to logfile. Default ON
Type: SwitchParameter
Parameter Sets: LECertificates, CleanADC, CleanTestCertificate
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False{{ Fill LogFile Description }}
Type: String
Parameter Sets: LECertificates, CleanADC, CleanTestCertificate, CommandPolicyUser, CommandPolicy
Aliases: LogLocation
Required: False
Position: Named
Default value: <DEFAULT>
Accept pipeline input: False
Accept wildcard characters: FalseThe Log level you want to have specified. With LogLevel: Error; Only Error (E) data will be written or shown. With LogLevel: Warning; Only Error (E) and Warning (W) data will be written or shown. With LogLevel: Info; Only Error (E), Warning (W) and Info (I) data will be written or shown. With LogLevel: Debug; All, Error (E), Warning (W), Info (I) and Debug (D) data will be written or shown. You can also define a (Global) variable in your script $LogLevel, the function will use this level instead (if not specified with the command) Default value: Info
Type: String
Parameter Sets: LECertificates, CleanADC, CleanTestCertificate, CommandPolicyUser, CommandPolicy
Aliases:
Required: False
Position: Named
Default value: Info
Accept pipeline input: False
Accept wildcard characters: False{{ Fill SaveADCConfig Description }}
Type: SwitchParameter
Parameter Sets: LECertificates, CleanADC, CommandPolicyUser, CommandPolicy
Aliases: SaveNSConfig
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseSpecify this parameter if you want to send a mail at the end, don't forget to specify SMTPTo, SMTPFrom, SMTPServer and if required SMTPCredential
Type: SwitchParameter
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseSpecify one or more email addresses. Email addresses can be specified as "[email protected]" or "User Name <[email protected]>" If specifying multiple email addresses, separate them wit a comma.
Type: String[]
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSpecify the Email address where mails are send from The email address can be specified as "[email protected]" or "User Name <[email protected]>"
Type: String
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseSpecify the Mail server credentials, only if credentials are required to send mails
Type: PSCredential
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: [System.Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: FalseSpecify the SMTP Mail server fqdn or IP-address
Type: String
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseIf you specify this parameter, the log will be attached as attachment when sending the mail.
Type: SwitchParameter
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseIf you want to skip the IP Address verification, specify this parameter
Type: SwitchParameter
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseIf specified, the script will try run with IPv6 checks (EXPERIMENTAL)
Type: SwitchParameter
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseIf specified, the script will try to add the generated certificate to the personal computer store and bind it to the site
Type: SwitchParameter
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseSelect a IIS Site you want to add the certificate to. Default value when not specifying this parameter is "Default Web Site".
Type: String
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: Default Web Site
Accept pipeline input: False
Accept wildcard characters: FalseName of the HTTP ADC Content Switch used for the domain validation. Specify only one when requesting a certificate Specify all possible VIPs when creating a Command Policy (User group, -NSCPName), so they all can be used by the members
Type: String[]
Parameter Sets: LECertificates, CommandPolicy
Aliases: NSCsVipName
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseType: String[]
Parameter Sets: CleanADC, CommandPolicyUser
Aliases: NSCsVipName
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseADC Content Switch Policy name Default: "csp_NSCertCsp"
Type: String
Parameter Sets: LECertificates, CleanADC, CommandPolicyUser, CommandPolicy
Aliases: NSCspName
Required: False
Position: Named
Default value: Csp_letsencrypt
Accept pipeline input: False
Accept wildcard characters: FalseADC Content Switch binding used for the validation Default: 11
Type: String
Parameter Sets: LECertificates, CleanADC
Aliases: NSCsVipBinding
Required: False
Position: Named
Default value: 11
Accept pipeline input: False
Accept wildcard characters: FalseADC Load Balance service name Default "svc_letsencrypt_cert_dummy"
Type: String
Parameter Sets: LECertificates, CleanADC, CommandPolicyUser, CommandPolicy
Aliases: NSSvcName
Required: False
Position: Named
Default value: Svc_letsencrypt_cert_dummy
Accept pipeline input: False
Accept wildcard characters: FalseIP Address used for the ADC Service (leave default 1.2.3.4, only change when already used
Type: String
Parameter Sets: LECertificates, CleanADC
Aliases: NSSvcDestination
Required: False
Position: Named
Default value: 1.2.3.4
Accept pipeline input: False
Accept wildcard characters: FalseADC Load Balance VIP name Default: "lb_letsencrypt_cert"
Type: String
Parameter Sets: LECertificates, CleanADC, CommandPolicyUser, CommandPolicy
Aliases: NSLbName
Required: False
Position: Named
Default value: Lb_letsencrypt_cert
Accept pipeline input: False
Accept wildcard characters: FalseADC Responder Policy name Default: "rsp_letsencrypt"
Type: String
Parameter Sets: LECertificates, CleanADC, CommandPolicyUser, CommandPolicy
Aliases: NSRspName
Required: False
Position: Named
Default value: Rsp_letsencrypt
Accept pipeline input: False
Accept wildcard characters: FalseADC Responder Action name Default: "rsa_letsencrypt"
Type: String
Parameter Sets: LECertificates, CleanADC, CommandPolicyUser, CommandPolicy
Aliases: NSRsaName
Required: False
Position: Named
Default value: Rsa_letsencrypt
Accept pipeline input: False
Accept wildcard characters: FalseWhen this parameter is configured, a User Group (Command Policy) will be created with a limited set of permissions required to run this script. Also specify all VIP, LB svc names if you want other than default values. Mandatory parameter is the CsVipName.
Type: SwitchParameter
Parameter Sets: CommandPolicyUser, CommandPolicy
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseYou can change the name of the Command Policy that will be created when you configure the -CreateUserPermissions parameter Default: `"script-GenLeCertForNS`"
Type: String
Parameter Sets: CommandPolicyUser, CommandPolicy
Aliases:
Required: False
Position: Named
Default value: Script-GenLeCertForNS
Accept pipeline input: False
Accept wildcard characters: FalseWhen this parameter is configured, a (System) User will be created. This will me a member of the Command policy configured with -NSCPName
Type: SwitchParameter
Parameter Sets: CommandPolicyUser
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseThe Username for the (System) User
Type: String
Parameter Sets: CommandPolicyUser
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThe Password for the (System) User
Type: Object
Parameter Sets: CommandPolicyUser
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseUse an existing or save all the "current" parameters to a json file of your choosing for later reuse of the same parameters.
Type: String
Parameter Sets: LECertificates
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseType: String
Parameter Sets: AutoRun
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis parameter is used to make sure you are deliberately using the parameters from the config file and run the script automatically.
Type: SwitchParameter
Parameter Sets: AutoRun
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseSpecify this parameter if you want to renew certificate even though it's still valid.
Type: SwitchParameter
Parameter Sets: LECertificates, AutoRun
Aliases: Force
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseWhen Specified, no output will be written to the console. Exception: Warning, Verbose and Error messages.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
File Name : GenLeCertForNS.ps1 Version : v2.10.2 Author : John Billekens Requires : PowerShell v5.1 and up ADC 11.x and up Run As Administrator Posh-ACME 4.2.0 (Will be installed via this script) Thank you @rmbolger for providing the HTTP validation method! Microsoft .NET Framework 4.7.1 or later (when using Posh-ACME/WildCard certificates)