Using Let’s Encrypt certificates with Windows Admin Center

Certificates from Let’s Encrypt have a very short lifetime and therefore needs to be renewed quite often and that process needs to be automated. This little guide will show how to acquire certificates and automate the renewal for use with Windows Admin Center. I will use Posh-ACME to get the certificates from Let’s Encrypt.

First of all we will need to install the Powershell module Posh-ACME from Powershell Gallery

1
Install-Module -Name Posh-ACME

In order to use Posh-ACME you need to figure out how to let the script make changes to your public DNS-server. This is beyond the scope of this guide as that procedure varies depending on your provider. You will have to look in the documentation for Posh-ACME. List-of-Supported-DNS-Providers

Download Windows Admin Center if you haven’t done so already. https://aka.ms/WindowsAdminCenter

In a production environment the following steps should be performed as a separate (batch/script) account. Posh-ACME saves the settings in the user profile and you need to schedule a task to update the certificates. You do not want to schedule a task with your regular user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Specify the environment to acquire certificates from (LE_PROD is Let's Encrypt production environment and LE_STAGE is the test environment).
Set-PAServer LE_PROD

# I use Azure DNS so i populate $azParams with my settings:
# Credentials for AzureDNS
$user = '...'
$pass = ConvertTo-SecureString -AsPlainText '...' -Force
$MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass
# Parameters for AzureDNS
$azParams = @{
  AZSubscriptionId='----';
  AZTenantId='----';
  AZAppCred=($MySecureCreds)
}

# Acquire the certificate:
$newCert = New-PACertificate 'wac.demodomain.se' -AcceptTOS -Install -Contact admin@demodomain.se -DnsPlugin Azure -PluginArgs $azParams

# Specify the path to Windows Admin Center installer:
$msiFile = "c:\temp\WindowsAdminCenter1809.msi"

# Install:
Start-Process msiexec.exe -Wait -ArgumentList "/i $msiFile /qn /L*v c:\temp\log.txt SME_PORT=443 SME_THUMBPRINT=$($newCert.Thumbprint) SSL_CERTIFICATE_OPTION=installed"

If you want to do a manual install you can specify the thumbprint to the certificate. You will find it in the variable $newCert.Thumbprint after you have acquired the certificate.

This short script will check renew the certificate if needed, configure Windows Admin Center with the new certificate and then remove the old certificate.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# Update existing certificate
# This task should be scheduled to run every day (or something similar)

# Specify the domainname to update:
$wacDomain = "wac.demodomain.se"

# Get the current certificate:
$currentCert = Get-Item Cert:\LocalMachine\My\* | Where Subject -like "CN=$wacDomain"

# Specify the environment (Production or Test)
Set-PAServer LE_PROD

# Specify what certificate to renew
Set-PAOrder -MainDomain $wacDomain

# Submit the renewal
$newCert = Submit-Renewal
if ($newCert -ne $null)
{
    # If atleast one new certificate is returned:
    foreach ($c in $newCert)
    {
        # Check if the returned certificate matches the domainname specified:
        if ($c.AllSANs -contains $wacDomain)
        {
            # Find MSI package for Windows Admin Center
            $wac = get-wmiobject Win32_Product | select IdentifyingNumber, Name, LocalPackage | Where Name -eq "Windows Admin Center"

            if ($wac -ne $null)
            {
                # Bind new certificate to the service
                Start-Process msiexec.exe -Wait -ArgumentList "/i $($wac.LocalPackage) /qn /L*v c:\script\log.txt SME_PORT=443 SME_THUMBPRINT=$($c.Thumbprint) SSL_CERTIFICATE_OPTION=installed"

                # When upgrading WAC, the firewall rule may be deleted. If so create a new rule after upgrade.
                New-NetFirewallRule -DisplayName "SmeInboundOpenException" -Description "Windows Admin Center inbound port exception" -LocalPort 443 -RemoteAddress Any -Protocol TCP

                # Restart Windows Admin Center
                Restart-Service ServerManagementGateway -Force
            }            

            # Remove the old certificate from the certificate store
            Remove-Item $currentCert.PSPath
        }
    }
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.