SSL Certificates are a great thing. However, for lab and test gear it can get expensive when you are generating new certificates for different usages. Using internal certificates are great for internal testing, but are a pain if you want to use them externally from multiple machines. Luckily there are Let’s Encrypt certificates. With their certificates you can generate 3 month certificates for not just A records, but for full wildcards as well.
With just 3 months available, this means you will be updating them every 3 months to keep your gear working. That is where these scripts come into play. By combining a couple of community products and some Windows Scheduled Tasks you can have this setup in an afternoon.
Install Pre-requisites on your updating system
From an admin PowerShell run the following commands. Accepting the install prompts as they come up. The section after the Install-Modules will fix an SSH syntax error that prevents the script from running. Make sure to close all admin PowerShell windows and IDEs after running these commands.
Install-Module -Name Posh-ACME -Scope AllUsers
Install-Module -Name Posh-ssh -Scope AllUsers
[System.Reflection.Assembly]::Load("System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a")
$publish = New-Object System.EnterpriseServices.Internal.Publish
$publish.GacInstall("C:\Program Files\WindowsPowerShell\Modules\Posh-SSH\2.2\Assembly\Renci.SshNet.dll");Create an encrypted password file for automating the process
On the machine that you will be running the update scripts from, login with the user account that you will be executing the scripts as, and then open an admin PowerShell prompt. Run the following command to generate an encrypted text file. Modify the path to where the password file will be generated, just ensure that the folder exists before executing. On the pop-up box that appears enter the NetScaler username and password with permission to upload files and modify the certificates.
(get-credential).password | ConvertFrom-SecureString | set-content "C:\CertUpdates\password.txt"Create your Posh-Acme Renewal Script
Create a Cert_Renewal.ps1 script on the update machine. I usually will place it in the same folder that I generated the password.txt file in the previous step. In that Cert_Renewal.ps1 script place the following code. You will need to modify the plugin arguments line to match your environment and provider. Refer to the Posh-ACME site for additional details. My example below is based on GoDaddy, as they host my external domain hosting.
$pArgs = @{GDKey='YourKey';GDSecret='YourSecret'}
submit-renewal -allaccounts -PluginArgs $pArgs -forceDownload and Modify the SSL_Cert_Update.ps script for your environment
I have worked to comment this PowerShell file as much as I can to hopefully make it clear. Feel free to modify and build from this to best fit your environment. The first time you run this, you will see some red messages, but these should just be the cleanup of previous certificate uploads. On subsequent runs you shouldn’t see those messages again. If you do, then check the message itself for troubleshooting steps.
Based on the vanilla template provided, the important lines to modify are the following;
3-5 Names of the Certificates as they appear on the NetScaler. These are case sensitive. Use similar syntax for uploading multiple certificates to your environment.
9 Enter the NetScaler user that will be used to upload the files and modify the certificate bindings
11 Enter the path to the Password.txt file you generated above
16 Enter the IP Address of the NetScaler you will be uploading data to
18-20 Enter the paths to the certificates that your Cert_Renewal.ps1 updated in the previous step
Automating the script process
I will recommend running these manually first, to make sure they work. If they are working correctly create a couple of Scheduled Tasks to run every 3 months. You want them to be 2 separate scripts, because you may have multiple NetScalers to send these cert files too, but you don’t want to regenerate the certificate files for each process. So just renew them once, then upload them to all your NetScalers.
Also, the renewal process has some built-in delay to it. This is to allow your DNS host to update it’s necessary Let’s Encrypt token. So if you have lots of certificates to renew, make sure to separate the renewal and upload process with enough of a gap to ensure they upload.
So create scheduled tasks on the same machine that you did all the above on, and set it to run as that same user that you logged in as to generate the password.txt file. The scheduled task should be set to powershell.exe with -file C:\CertUpdates\Cert_Renewal.ps1 -executionpolicy bypass for the arguments line. Modify the -file section to line up with your PowerShell scripts that you created above.
You can create 4 triggers on the Scheduled Tasks to line up with the 3 month expirations of your certificates, for full automated execution.