ACME protocol client for obtaining certificates using Let''s Encrypt (or other ACME compliant CA)
This is a custom build intended allow compatibility with .NET 4.6.1. It should not be used with PowerShell Core and you should only attempt to use RSA based key options.

Minimum PowerShell version


Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name Posh-ACME.net46 -RequiredVersion 4.7.0

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More


Ryan Bolger


(c) 2018 Ryan Bolger. All rights reserved.



LetsEncrypt ssl tls certificates acme


Complete-PAOrder Export-PAAccountKey Get-KeyAuthorization Get-PAAccount Get-PAAuthorization Get-PACertificate Get-PAOrder Get-PAPlugin Get-PAPluginArgs Get-PAServer Install-PACertificate Invoke-HttpChallengeListener New-PAAccount New-PACertificate New-PAOrder New-PAAuthorization Publish-Challenge Remove-PAAccount Remove-PAOrder Remove-PAServer Revoke-PAAuthorization Revoke-PACertificate Save-Challenge Send-ChallengeAck Set-PAAccount Set-PAOrder Set-PAServer Submit-ChallengeValidation Submit-OrderFinalize Submit-Renewal Unpublish-Challenge


Desktop Core


This module has no dependencies.

Release Notes

## 4.7.0 (2021-08-24)

* Servers, Accounts, and Orders all now have configurable Names that also determine the name of their associated folders in the config on the filesystem. (#345) This is a fairly large change, but significant effort has been spent implementing it so that dependent scripts will not break.
 * **Please backup your current config before customizing your object names.** Previous Posh-ACME versions will break trying to read configs with custom names.
 * All customized names may only use the following characters to avoid cross-platform filesystem compatibility issues: `0-9 a-z A-Z - . _ !`.
 * A `NewName` parameter has been added to `Set-PAServer`, `Set-PAAccount`, and `Set-PAOrder` to change the name of each type of object.
 * Server related functions now have an optional `Name` parameter which can be used instead of or in addition to the `DirectoryUrl` parameter. This includes `Get/Remove/Set-PAServer`.
 * If a server doesn't already exist, `Set-PAServer` will use the `-Name` parameter for the new server's name. If the server already exists, it is ignored.
 * Returned server objects now have `Name` and `Folder` properties.
 * Despite being able to customize Server names, you may still only have a single instance of each unique ACME server in your config. This may chang in a future major version.
 * Account related functions that have an `ID` parameter now have a `Name` parameter alias. This includes `Get/Remove/Set-PAAccount` and `Export-PAAccountKey`. The ID parameter should be considered deprecated and in future major versions will be replaced by `Name`.
 * The `ID` parameter was added to `New-PAAccount` to allow setting the customized ID on creation instead of using the server provided default value.
 * Returned account objects now have a `Folder` property and the `id` property now reflects the customizable value.
 * The `id` property on account objects is deprecated and will be changed to `Name` in a future major version.
 * Order related functions now have an optional `Name` parameter to distinguish between multiple orders that may have the same `MainDomain`. This includes `Get/Revoke/New-PACertificate`, `Get/New/Set/Remove-PAOrder`, `Get-PAPluginArgs`, `Invoke-HttpChallengeListener`, and `Submit-Renewal`. In most cases, the `Name` parameter can also be used by itself as a unique identifier for orders.
 * The `Name` parameter on `New-PACertificate` and `New-PAOrder` allows setting the customized order name on creation instead of using the MainDomain default value.
 * Returned order objects now have a `Name` property (not to be confused with `FriendlyName` which only affects the certificate associated with the order).
 * Order related error and log messages that previously mentioned the order's MainDomain have been changed to use the order's Name instead.
 * To retain backwards compatibility with existing 4.x dependent scripts, `Get-PAOrder` will return the single, most recent order when used with `-MainDomain` even if there are multiple matching orders. This also affects `Get-PACertificate` which uses Get-PAOrder under the hood.
 * `Set-PAOrder`, `Revoke-PACertificate`, and `Remove-PAOrder` will throw an error if only `MainDomain` is specified and it matches multiple orders. Specify the `Name` parameter as well to ensure a unique order match.
* Custom plugins can now be loaded from an alternate filesystem location by creating a `POSHACME_PLUGINS` environment variable before the module is loaded. The value should be a folder path that contains uniquely named .ps1 plugin files. If any custom plugins have the same name as native plugins, a warning will be thrown and they will not be loaded.
* Added `New-PAAuthorization` which allows the creation of authorization objects outside the context of an order. NOTE: BuyPass is the only free ACME CA that currently supports this feature.
* Added a `OnlyReturnExisting` parameter to `New-PAAccount` when using an imported key which instructs the ACME server to only return account details if an account already exists for that key.
* Added a `NoSwitch` parameter to `Set-PAServer` so you can modify the active server without switching to it.
* The `AllSANs` field on PACertificate objects now reflects the SAN list on the actual certificate instead of its associated ACME order (just in case the two lists have divered for some strange reason).
* Added missing help on `Get-PAPluginArgs`.
* Default formatting for PAServer objects has been tweaked to show more useful info.
* Default formatting for PAOrder object now includes `Name` and has removed `OSCPMustStaple`.
* The `Quiet` parameter has been removed from the `Get-PAServer -List` parameter set because it didn't make sense.
* Fixed an example in `Remove-PAServer` help.
* Added workaround for BuyPass bug that prevents some error details from being parsed.
* Adjusted support for Account Key Rollover to more closely follow RFC8555 which fixes a bug using it with BuyPass
* Changed some logic in `Revoke-PACertificate` so that it works with BuyPass which doesn't seem to support revocation using the cert's private key.
* Orders using an ECC private key will no longer include Key Encipherment in the CSR's keyUsage when submitting an order for finalization. Key Encipherment is not supported for ECDSA certs and some CAs were rejecting the finalization.

Version History

Version Downloads Last updated
4.10.0 6 10/6/2021
4.9.0 21 9/21/2021
4.8.1 9 9/12/2021
4.8.0 4 9/10/2021
4.7.1 12 8/28/2021
4.7.0 (current version) 5 8/24/2021
4.6.0 23 7/26/2021
4.5.0 17 5/29/2021
4.4.0 18 5/3/2021
4.3.2 19 3/14/2021
4.3.1 4 3/12/2021
4.3.0 12 2/24/2021
4.2.0 17 2/1/2021
4.1.0 15 1/18/2021
4.0.0 14 12/19/2020
3.20.0 17 11/25/2020
3.19.0 11 11/20/2020
3.18.1 9 11/12/2020
3.18.0 5 11/8/2020
3.17.0 3 10/9/2020
3.16.1 10 9/1/2020
3.15.1 28 7/8/2020
3.15.0 13 6/23/2020
3.14.0 24 5/7/2020
3.13.0 57 4/11/2020
3.12.0 92 12/10/2019
3.11.0 33 11/12/2019
3.10.0 11 11/6/2019
3.9.0 16 10/26/2019
3.8.0 22 9/27/2019
3.7.0 10 9/18/2019
3.6.0 27 8/20/2019
3.5.0 3,435 6/21/2019
3.4.0 39 4/30/2019
3.3.0 17 3/24/2019
3.2.1 22 3/4/2019
3.2.0 24 1/22/2019
3.1.1 991 12/22/2018
3.1.0 7 12/16/2018
3.0.1 32 11/30/2018
3.0.0 32 11/13/2018
2.9.1 10 10/26/2018
2.9.0 14 10/6/2018
2.8.0 157 9/12/2018
2.7.1 7 8/30/2018
2.7.0 15 8/12/2018
2.6.0 6 8/1/2018
2.5.0 13 7/13/2018
Show less