Collections
Let's Encrypt Certificates
Installing Posh-ACME (Windows)

Installing Posh-ACME (Windows)

In this article we’ll walk through setting up Let’s Encrypt on a Windows hosts using the Posh-ACME client and CloudFlare as our Domain Control Validation(DCV). On completion, the generated certificate will be stored within the Local Machine Certificate Store.

To accomplish this task, we’ll install a small script I’ve written which automates the majority of the process. I recommend you read through the script both to understand the code and verify its actions prior to running in a production environment.

If you’re planning on using the script for Remote Desktop Services or Work Folders, you’ll be happy to know it includes automating the certificate renewal process for both of these services. The script will automatically detect these services and perform the necessary actions.

Script Logic

Below is a quick outline of what actions the script will perform when run.

This script will remove any other certificates of the same domain name from the Local Machine Certificate Store after installation is complete! Comment out lines 290-298 to disable this action.
  1. If running on Windows Server 2016 or lower, ensure TLS 1.2 is enabled within .NET.
  2. Install Posh-ACME module.
  3. Import Cloudflare API token as a secure string.
  4. Set Let’s Encrypt environment (staging/production).
  5. Generate certificate.
  6. Create scheduled task to check daily if renewal is required.
  7. Check if Remote Desktop Services is installed. If yes, update certificate.
  8. Check if Work Folders is installed. If yes, update certificate.
  9. Delete replaced certificate from Certificate Store.

.NET Framework

Posh-ACME requires at minimum version 4.7.1 of the .NET Framework. If you’re installing Posh-ACME onto Windows Server 2016 or older download and install .NET. For this article, I used version 4.7.1 available from Microsoft’s website.

CloudFlare API Token

Ensure you’ve generated a CloudFlare API token which grants access to your domain’s DNS records. Posh-ACME will use this access to fulfill Let’s Encrypt challenge requests.

Clone Repository

Clone the lets_windows repository to a suitable location on your server. A common location is C:\Scripts or if you want it hidden C:\ProgramData.

git clone [email protected]:twobyteblog/lets_windows.git

Insert Variables

Open the main.ps1 script and update the required variables:

# CloudFlare Token for Domain Control Validation (DCV).
$cloudflareToken = ""

# Use Let's Encrypt's staging server rather then production.
$certStaging = $false

# Certificate password.
$certPass = "changeme"

# Domain(s). If using hostname, you can automate using the $hostname variable.
$hostname = $([System.Net.Dns]::GetHostEntry([string]"localhost").HostName)
$certDomains = @($hostname, twobyte.blog, twobyte.ca)

# Contact email address, for 
$notifyEmail = "[email protected]"

# Posh-ACME configuration location. 
# By default, this will be a 'config' folder located aloneside the script.
$env:POSHACME_HOME = "$PSScriptRoot\config"

Generate Certificate

With all the variables configured, we’re ready to request a certificate. If Remote Desktop Services or Work Folders is installed, the certificate serving these services will automatically be updated as well.

.\Certificate.ps1 -Install

Verify Certificate

Depending on the service the certificate is for, here are a few methods of verifying that the service is now utilizing the Let’s Encrypt certificate.

Web-Based Services

For web-based services, you can check the certificate via web browser.

  1. Open Google Chrome or Microsoft Edge.
  2. Browse to the respective URL, and click on icon immediately left of the URL.
  3. Select Certificate is secure than Certificate is valid.

If your website is secure, you should see a certificate issued by Let’s Encrypt with an expiration three months in the future.

LDAPS

To check LDAPS connections, there are a few common methods, the most common of which is using openssl from a Linux host.

openssl s_client -showcerts -verify 5 -connect hostname:636

Work Folders

As with LDAPS, you can use openssl to check the SSL connection for Work Folders as well.

openssl s_client -showcerts -verify 5 -connect hostname:443

Remote Desktop Services

Each role with Remote Desktop Services can be checked via PowerShell.

Get-RDCertificate -Role RDGateway
Get-RDCertificate -Role RDWebAccess
Get-RDCertificate -Role RDRedirector
Get-RDCertificate -Role RDPublishing

Example:

Role          Level          ExpiresOn                           IssuedTo
----          -----          ---------                           --------
RDGateway     Trusted        05/04/2025 11:24:45                 CN=rds01.ad.twobyte.blog

If you’d like more detail, you can determine and view the certificates being used by the Remote Desktop Services role within Server Manager.

  1. Open Server Manager.
  2. Select Remote Desktop Services from the left-hand menu.
  3. Select Collections.
  4. In top-right, select Tasks » Edit Deployment Properties.
  5. Select Certificates from the left-hand menu.
  6. For each role select View Details.
How it WorksInstalling Certbot (Linux)