- Fix DNSimple plugin not properly ignoring 404 API errors on PowerShell 5.1 (#549)
- Added support for DNSimple user tokens which should allow for certs with names that span domains in multiple accounts.
- Added warning in GoDaddy guide about newly imposed limits on API access. (Thanks @webprofusion-chrisc)
- Fixed DNSimple plugin not removing challenge records (#548).
- Fixed cascading errors on public functions when running with little or no existing config. (#544)
- Fixed OVH plugin on PowerShell 5.1 by removing an accidentally added ternary operator. (#545) (Thanks @joshooaj)
- New DNS plugin WebsupportSK. This will be useful to Active24 users who have been migrated to the new provider.
- Added additional debug logging for Active24 plugin.
- New DNS plugin WEDOS
- Fixed OVH bug that prevented record creation at a zone apex most common when using DNS Alias support. Also added doc warning about time skew and better debug logging. (#535)
- New DNS plugin PowerDNS
- Fixed duplicate identifiers in the
Domainparameter causing errors with some ACME servers. Identifiers will now be deduplicated prior to being saved and sent to the ACME server. (#517) - Added
WSHDelayAfterStartparam to the WebSelfHost plugin which adds a configurable delay between when the challenge listener starts up and when it asks the ACME server to validate the challenges. (#518) - Orders where the MainDomain is longer than 64 characters will not include a CN value in the Subject field of the certificate request sent to the ACME server. CNs longer than 64 characters were already being rejected by some CAs like Let's Encrypt because the x509 spec doesn't allow for it. More Info
- New DNS plugins
- HurricaneElectricDyn This is an alternative to the existing
HurricaneElectricplugin that uses the DynDNS API instead of web scraping. (Thanks @jbrunink) - ZoneEdit (#495)
- HurricaneElectricDyn This is an alternative to the existing
- The
CSRPathparameter inNew-PAOrderandNew-PACertificatewill now accept the raw string contents of a CSR file instead of just the path to a file. (#503) - The
Simplyplugin has been renamed toSimplyComat the request of the provider. The new version is exactly the same. The old version will remain until the next major release. Users should update their renewal configs to use the new version to prevent future breakage.Set-PAOrder -Plugin SimplyCom - Added a workaround to a temporary problem with the Simply.com API in case the issue pops up again. (#502)
- The
Route53plugin now uses IMDSv2 when using the IAM Role support. (#509)
- The
POSHACME_HOMEenvironment variable now supports Windows-style (surrounded by%) environment variable expansion. (#497)- So you can set the value to
%ProgramData%\Posh-ACMEinstead of needing to set it explicitly toC:\ProgramData\Posh-ACMEfor example. - NOTE: This requires Windows-style environment variable strings even on non-Windows OSes.
- So you can set the value to
- The Azure plugin no longer tries to re-use cached authentication tokens when using the
AZAccessTokenparameter set. (#498) - Fixed a bug with the Azure plugin that broke authentication when submitting multiple orders with different credentials from different tenants. (#498)
- Fixed a problem using Posh-ACME within AWS Lambda due to non-standard dotnet runtime assembly configs. (#418) (Thanks @garthmccormack)
- This fix involved changing the
RevocationReasonsenum from a .NET type to a PowerShell native enum. - The change constitutes a minor breaking change which makes the enum no longer accessible from outside the module's context, but tab completion and string converted values for the
Revoke-PACertificate -Reasonparameter work exactly the same as before.
- This fix involved changing the
- Fixed Hetzner plugin for accounts with 100+ zones. (#481) (Thanks @Deutschi)
- Fixed RFC2136 plugin ignoring the DDNSNameserver parameter when set. (#485) (Thanks @gvengel)
- New DNS plugins
- Google Domains This should be considered experimental while the Google Domains ACME API is still in testing. (Thanks @webprofusion-chrisc)
- IONOS (Thanks @RLcyberTech)
- SSHProxy sends update requests via SSH to another server which is able to do dynamic updates against your chosen DNS provider. (Thanks @bretgiddings)
- The
DDNSNameserverparameter is no longer mandatory in the RFC2136 plugin which will make nsupdate try to use whatever primary nameserver is returned from an SOA query. - Added Basic authentication support to the AcmeDns plugin which should allow it to be used against endpoints that enforce that such as Certify DNS.
- Added support for plugin parameters that are arrays of SecureString or PSCredential objects.
- Fixed PAServer switches getting reset on
Set-PAServerwith no params (#475)
- New DNS plugins
- Added
-Subjectparameter toNew-PACertificate,New-PAOrder, andSet-PAOrderwhich will override the default x509 Subject field in the certificate request sent to the ACME CA. This can be useful for private CAs that allow for additional attributes in the Subject that public CAs don't. - Fix for undocumented NameSilo API change. (Thanks @rkone)
- Fix for All-Inkl plugin that makes the plaintext
KasPwdparameter actually send plaintext since All-Inkl has deprecated the SHA1 option.
- Reverted the embedded BouncyCastle library back to 1.8.8 due to version conflicts with Az.KeyVault in PowerShell 6+. This is temporary while a suitable workaround for version conflicts in other modules is explored.
- Fixed Domeneshop plugin when publishing apex TXT records and added more API output to debug messages.
- PAOrder objects now have a flag to optionally use modern encryption options on generated PFX files. This will prevent the need to use "legacy" mode when reading the files with OpenSSL 3.x. However, it breaks compatibility with OpenSSL 1.0.x and earlier.
- You can use the
-UseModernPfxEncryptionflag withNew-PACertificate,New-PAOrder, andSet-PAOrder. When used withSet-PAOrder, existing PFX files will be re-written based on the flag's new value. - Use
Set-PAOrder -UseModernPfxEncryption:$falseto switch back to the default setting. - The default for new orders will likely remain off until Posh-ACME 5.x is released.
- You can use the
- Added new DNS plugin PortsManagement (Thanks @wemmer)
- The GCloud plugin has a new optional parameter,
GCProjectIdthat takes one or more string values. This is only required if the DNS zones to modify don't reside in the same project as the service account referenced byGCKeyFileor they reside in multiple projects. When used, be sure to include all project IDs including the one referenced byGCKeyFile. - Added Google's new free ACME CA to the CA comparison doc
- Upgraded the embedded BouncyCastle library to 1.9.0
- Fixed UKFast plugin to support paging for accounts with many domains (Thanks @0x4c6565)
- Fixed PFX friendly name generation when not provided in the order.
- Added new DNS plugin Porkbun (Thanks @CaiB)
- Added server shortcuts for Google's new ACME CA, GOOGLE_PROD and GOOGLE_STAGE.
- Added server shortcuts for SSL.com, SSLCOM_RSA and SSLCOM_ECC.
- Added
UseAltAccountRefreshswitch toSet-PAServerto workaround CAs that don't yet support direct account refreshes such as Google, SSL.com, and DigiCert. (#372) (#394)- New configs should have this set by default for CAs known to need it. But you will need to explicitly set it on any existing configs for these CAs.
- Added
LifetimeDaysparam onNew-PACertificate,New-PAOrder, andSet-PAOrderto enable user requested cert lifetimes for ACME CAs that support the feature.- Google's CA is the only free ACME CA known to currently support this and the order lifetime cannot be changed once it is created. Setting a new value on an existing order will only change the lifetime on subsequent renewals.
- Updated Azure plugin to use the latest stable API version.
- Updated Azure guide to account for breaking changes in the Az module.
- Fixed GoDaddy plugin when using it with delegated sub-zones. (#430)
- Fixed
New-PAAccountwhen importing an existing key on CAs that require external account binding. - Reduced the number of account refreshes that happen as part of normal operations.
- Fixed Loopia plugin after an upstream API change broke it. (Thanks @AlexanderRydberg)
- Added new DNS plugin LeaseWeb
- Simply plugin migrated to v2 of the API. No changes should be necessary for existing users.
- The WebRoot plugin now supports multiple paths for the
WRPathparameter. (#411) - ClouDNS plugin error handling was modified so that invalid credential errors are properly surfaced instead of just throwing generic "zone not found" errors. (#414)
- Fixed a potential bug with
Submit-OrderFinalizewhen multiple orders have the same MainDomain property. - Fixed
New-PACertificatenot properly updating an existing order with updated order params (#412)
- Added SecretManagement support! See this guide for details.
- Added new DNS plugins:
- Combell (Thanks @stevenvolckaert)
- TotalUptime (Thanks @CirotheSilver)
Install-PACertificateand the-Installswitch on orders will now import associated chain certificates into the Intermediate cert store if they don't already exist. (#397)New-PAOrderwill now throw an error if the order object returned by the ACME server matches an existing order with a different name. (#401)- The progress bar for DNS propagation is now disabled by default unless a POSHACME_SHOW_PROGRESS environment variable is defined. A verbose message will be written once per minute as an alternative. (#402)
- Added auth token caching to CoreNetworks plugin to avoid getting rate limited. (#403)
- Fixed ISPConfig plugin throwing Incorrect datetime value errors when adding records (#404)
- Fixed a bug with
Submit-Renewal -AllAccountsthat would prevent restoring the original active account. (Thanks @markpizz) (#395) - Fixed usage example in EasyDns guide. (Thanks @webprofusion-chrisc) (#407)
- Added new DNS plugin CoreNetworks (Thanks @dwydler)
- Fix for Regru plugin bug caused by provider API change (#392)
- Fix Submit-Renewal duplicating orders that have a custom name (#393)
- Added new DNS plugin ISPConfig
- Fixed the DOCean plugin when used with accounts that have more than 20 zones. (#384) (Thanks @Xpyder)
- Fixed a bug in the DOCean plugin that prevented publishing records against the zone apex.
- Fixed a bug using
Set-PAOrder -PreferredChainon an existing but expired order that was recently upgraded from Posh-ACME 3.x. - Fixed renewal window calculation for certs that have lifetimes shorter or longer than 90 days. (#382) (Thanks @lookcloser)
- Due to the bug, certs with lifetimes longer than 90 days would renew early and certs with lifetimes shorter than 90 days would renew late or potentially not at all. Because the renewal window is calculated and saved at finalization time, the new module version won't fix the value on existing orders. It will only fix future orders/renewals.
- If you want to scan for and fix any orders that might have been affected by this bug, you can use the script posted here: #382 (comment)
- Fixed a benign bug with object serialization in PS 5.1 that was saving the dynamic attributes on server/account/order objects.
- Fixed a bug introduced in 4.7.0 that broke
Set-PAAccount -UseAltPluginEncryptionpreventing plugin args for orders from being properly re-encrypted.
- Documentation Revamp
- https://poshac.me/docs is a new dedicated website for Posh-ACME documentation. Existing guides and tutorials have been migrated there from the Github wiki. The site is currently generated using the Markdown files in the
docsfolder in the main project repository by MkDocs. So it should now be easier to contribute fixes and updates. - The native module help is now also generated by platyPS from the Markdown files in
docs/Functions. Get-Help <function name> -Onlineshould now open your browser to the appropriate page on the documentation site.
- https://poshac.me/docs is a new dedicated website for Posh-ACME documentation. Existing guides and tutorials have been migrated there from the Github wiki. The site is currently generated using the Markdown files in the
- The DeSEC plugin has new
DSCTokenandDSCTTLparams to avoid conflicts with the DNSimple plugin. The oldDSToken,DSTokenInsecure, andDSTTLparameters have been deprecated. - "Insecure" plugin parameter sets which include secrets, tokens, or passwords using a standard String instead of a SecureString or PSCredential have been deprecated across all plugins that had them.
- Deprecated means that they will continue to work in Posh-ACME 4.x, but will stop working when 5.0 is released.
- If you are currently using a deprecated parameter set, please migrate to a secure one when convenient.
- See your plugin's usage guide for more information.
- For help finding deprecated parameters in your config, see this guide
- The following plugins have added new "Secure" parameter sets:
- BlueCat
- Cloudflare
- DOcean
- Dreamhost
- Dynu
- EasyDNS
- GoDaddy
- NameCom
- Zonomi
- A
Pluginproperty has been added to the output objects returned byGet-PAPlugin <Plugin> -Params
- Fixed a parameter binding bug in New-PACertificate that could cause renewals to stall in some cases due to an interactive prompt.
- Fixed help for Export-PAAccountKey
- Servers, Accounts, and Orders all now have configurable Names that also determine the name of their associated folders in the config on the filesystem. (#345) This is a fairly large change, but significant effort has been spent implementing it so that dependent scripts will not break.
- Please backup your current config before customizing your object names. Previous Posh-ACME versions will break trying to read configs with custom names.
- All customized names may only use the following characters to avoid cross-platform filesystem compatibility issues:
0-9 a-z A-Z - . _ !. - A
NewNameparameter has been added toSet-PAServer,Set-PAAccount, andSet-PAOrderto change the name of each type of object. - Server related functions now have an optional
Nameparameter which can be used instead of or in addition to theDirectoryUrlparameter. This includesGet/Remove/Set-PAServer. - If a server doesn't already exist,
Set-PAServerwill use the-Nameparameter for the new server's name. If the server already exists, it is ignored. - Returned server objects now have
NameandFolderproperties. - Despite being able to customize Server names, you may still only have a single instance of each unique ACME server in your config. This may chang in a future major version.
- Account related functions that have an
IDparameter now have aNameparameter alias. This includesGet/Remove/Set-PAAccountandExport-PAAccountKey. The ID parameter should be considered deprecated and in future major versions will be replaced byName. - The
IDparameter was added toNew-PAAccountto allow setting the customized ID on creation instead of using the server provided default value. - Returned account objects now have a
Folderproperty and theidproperty now reflects the customizable value. - The
idproperty on account objects is deprecated and will be changed toNamein a future major version. - Order related functions now have an optional
Nameparameter to distinguish between multiple orders that may have the sameMainDomain. This includesGet/Revoke/New-PACertificate,Get/New/Set/Remove-PAOrder,Get-PAPluginArgs,Invoke-HttpChallengeListener, andSubmit-Renewal. In most cases, theNameparameter can also be used by itself as a unique identifier for orders. - The
Nameparameter onNew-PACertificateandNew-PAOrderallows setting the customized order name on creation instead of using the MainDomain default value. - Returned order objects now have a
Nameproperty (not to be confused withFriendlyNamewhich only affects the certificate associated with the order). - Order related error and log messages that previously mentioned the order's MainDomain have been changed to use the order's Name instead.
- To retain backwards compatibility with existing 4.x dependent scripts,
Get-PAOrderwill return the single, most recent order when used with-MainDomaineven if there are multiple matching orders. This also affectsGet-PACertificatewhich uses Get-PAOrder under the hood. Set-PAOrder,Revoke-PACertificate, andRemove-PAOrderwill throw an error if onlyMainDomainis specified and it matches multiple orders. Specify theNameparameter as well to ensure a unique order match.
- Custom plugins can now be loaded from an alternate filesystem location by creating a
POSHACME_PLUGINSenvironment variable before the module is loaded. The value should be a folder path that contains uniquely named .ps1 plugin files. If any custom plugins have the same name as native plugins, a warning will be thrown and they will not be loaded. - Added
New-PAAuthorizationwhich allows the creation of authorization objects outside the context of an order. NOTE: BuyPass is the only free ACME CA that currently supports this feature. - Added a
OnlyReturnExistingparameter toNew-PAAccountwhen using an imported key which instructs the ACME server to only return account details if an account already exists for that key. - Added a
NoSwitchparameter toSet-PAServerso you can modify the active server without switching to it. - The
AllSANsfield on PACertificate objects now reflects the SAN list on the actual certificate instead of its associated ACME order (just in case the two lists have divered for some strange reason). - Added missing help on
Get-PAPluginArgs. - Default formatting for PAServer objects has been tweaked to show more useful info.
- Default formatting for PAOrder object now includes
Nameand has removedOSCPMustStaple. - The
Quietparameter has been removed from theGet-PAServer -Listparameter set because it didn't make sense. - Fixed an example in
Remove-PAServerhelp. - Added workaround for BuyPass bug that prevents some error details from being parsed.
- Adjusted support for Account Key Rollover to more closely follow RFC8555 which fixes a bug using it with BuyPass
- Changed some logic in
Revoke-PACertificateso that it works with BuyPass which doesn't seem to support revocation using the cert's private key. - Orders using an ECC private key will no longer include Key Encipherment in the CSR's keyUsage when submitting an order for finalization. Key Encipherment is not supported for ECDSA certs and some CAs were rejecting the finalization.
- Added new DNS plugins
- Revoke-PACertificate no longer requires a configured account when using an explicit cert/key (#361)
- Fixed Aurora plugin for edge case bug with PowerShell Core (#353)
- Fixed DirectoryUrl completers in PS 5.1 when no servers currently exist.
- Fixed unauthenticated updates with RFC2136 plugin (#360) (Thanks @dsbibby)
- Refactored Simply plugin to be IDN agnostic and redact API keys from logging (#352)
- ACME errors from New-PAAccount should be less ugly now.
- Added new DNS plugins
- Added new function
Revoke-PACertificatewhich provides more options for cert revocation including the ability to revoke certs not created with other clients or ACME accounts if you have the private key. - Added
ManualNonInteractiveswitch to the Manual plugin to suppress the interactive prompt after showing the TXT record details that need to be created. (Thanks @hhhuut) - Added additional guidance in the plugin dev guide.
- Optimized module load time by pre-caching native plugin details.
- Fixed support for IDN domains in Simply plugin (Thanks @Norskov)
- Fixed Azure plugin bug when DnsAlias matches the zone apex. (#348)
- Fixed Azure plugin to support IMDS auth within Azure Automation. (#349)
- Fixed tests for Pester 5.2
- Added new DNS plugins
- Constellix
- All-Inkl (Thanks @astaerk)
- Easyname (Thanks @codemanat)
- Added
Folderproperty to Get-PAOrder output - Added
KeyFileparameter to New-PAOrder to allow importing an existing private key
- Fixed New-PACertificate not using the previous order's KeyLength value if it exists and wasn't overridden by an explicit parameter value. (#326)
- Fixed
Submit-Renewalnot sending all previous order parameters toNew-PACertificate(#326) (Thanks @juliansiebert) - Fixed module load errors for some environment with older .NET Framework versions.
- Fixed Route53 plugin to check for pre-imported AWS module (#324)
- Fixed telemetry ping not respecting DisableTelemetry option in
Set-PAServer - Telemetry ping no longer uses
Start-Jobwhich should avoid errors when running in Azure functions and other scenarios where PowerShell is hosted within another application.
- PreferredChain selection logic has been updated to consider "distance from root" as a way to break ties when the specified CA subject is found in multiple chains. Chains with the CA closer to the root take precedence over ones with it further away. (#315)
CFTokenReadAllandCFTokenReadAllInsecurehave been removed from the Cloudflare plugin because they are no longer needed. Cloudflare fixed the API bug that made them necessary when using edit tokens scoped to a specific zone or zones. No user action is required if you were previously using these parameters. They will simply be ignored.- HTTP call detail has been changed from Verbose to Debug output in Cloudflare and Route53 plugins.
- Fixed CSR handing for CSRs that have no attributes (#317) (Thanks @methorpe)
- Fixed Route53 plugin compatibility with older versions of the AWSPowerShell module (#318)
Many plugins have optional parameter sets that use "Insecure" versions of the primary SecureString or PSCredential parameters due to bugs in early versions of PowerShell 6 that prevented using them on non-Windows OSes. Those bugs have been fixed since PowerShell 6.2 and the insecure parameter sets should be considered deprecated and will likely be removed in the next major version (5.x) of Posh-ACME. Individual plugin usage guides will slowly be updated over the course of 4.x to warn about the specific parameter deprecations.
- Added new DNS plugins
- Infomaniak (Thanks @Sundypha)
- Zilore
- Added
ACMEUrioption to AcmeDns plugin which allows specifying the complete URI instead of just the hostname. (Thanks @AvrumFeldman)
- Compatibility updates for RFC2136 plugin (#308)
- Now uses exit code from nsupdate instead of output parsing to determine success and avoid possible language inconsistencies (#307)
- Added optional DDNSZone param to avoid initial SOA lookup that breaks in some environments (#307)
- Removed UnoEuro plugin because API endpoint is no longer functional. Users should switch to the Simply plugin. (#303)
- Moved HTTP call detail from Verbose to Debug output for Infoblox plugin
- Fixed partial zone matching bug for Domeneshop plugin (#305)
- Fixed
Submit-Renewal -AllOrdersso it no longer skips invalid or pending orders
There is a 3.x to 4.x migration guide in the FAQ on the wiki. But no changes should be necessary for users with existing certs that are renewing using Submit-Renewal unless they were also using the -NewKey parameter which has been removed. Orders can now be configured to always generate a new private key using Set-PAOrder -AlwaysNewKey.
- The DNS plugin system has been revamped to support both dns-01 and http-01 challenges. (#124)
- All existing DNS plugins have been upgraded to the new plugin format. See the README in the plugins folder for details and instructions on how to upgrade your own custom plugins.
- There are two new http-01 challenge plugins called
WebRootandWebSelfHost. See their usage guides for details.
- Plugin args are now saved per-order rather than per-account and as JSON rather than XML.
- This has the side effect that new orders using the same plugin(s) as a previous order will no longer reuse the previous args.
- Added
Get-PAPluginArgswhich returns a hashtable with the plugin args associated with the current or specified order. You can use this to retrieve another order's plugin args and use that object with your new order. - Pre-4.x plugin args will be automatically migrated to per-order plugin args the first time an account is selected using
Set-PAAccountor on module load for the last selected account. The old file will be backed up with a ".v3" extension in case you need to revert.
- Portable, Cross-Platform encryption is now supported for secure plugin parameters on disk and can be configured on a per-account basis. It is based on a 256-bit AES key generated for the account. This makes it possible to migrate a Posh-ACME config between users, machines, or OSes without needing to re-configure secure plugin args. (#150)
- To enable, set the
UseAltPluginEncryptionswitch onNew-PAAccountorSet-PAAccount. This will immediately re-encrypt plugin args for all orders associated with the account. - To disable/revert, run
Set-PAAccount -UseAltPluginEncryption:$false. - If you believe the encryption key has been compromised, use
Set-PAAccount -ResetAltPluginEncryptionto generate a new key and re-encrypt everything.
- To enable, set the
Get-PAPluginis a new function that replacesGet-DnsPluginsandGet-DnsPluginHelp.- With no parameters, lists all plugins and their details
- With a plugin parameter, shows the details for just that plugin
- With a plugin and
-Help, shows the plugin's help - With a plugin and
-Guide, opens the default browser to the plugin's online guide - With a plugin and
-Params, displays the plugin-specific parameter sets (#151)
- Added
AlwaysNewKeyswitch toNew-PACertificate,New-PAOrder, andSet-PAOrder. This flag tells Posh-ACME to always generate a new private key on renewals. The old parameters for key replacement have been removed. (#181) - Added
UseSerialValidationswitch toNew-PACertificate,New-PAOrder, andSet-PAOrder. This flag tells Posh-ACME to process the order's authorization challenges serially rather than in parallel. This is primarily useful for providers like DuckDNS that only allow a single TXT record to be written at a time. - Added
Complete-PAOrderwhich does the final processing steps like downloading the signed cert and updating renewal window for an order that has reached the 'ready' state. This avoids the need to useNew-PACertificatewhen doing custom certificate workflows. - The PfxPass parameter on order objects is now obfuscated when serialized to disk. (#207)
- Added
PfxPassSecure(SecureString) parameter toNew-PACertificate,New-PAOrder, andSet-PAOrderwhich takes precedence overPfxPassif specified. (#207) - Added
DnsAliasandOCSPMustStapleparameters toSet-PAOrder. Changing an order's OCSPMustStaple value will throw a warning that it only affects future certificates generated from the order. - Added
Plugin,PluginArgs,DnsAlias,DnsSleep, andValidationTimeoutparameters toNew-PAOrder. - The
DirectoryUrlparameter inSet-PAServeris now optional. If not specified, it will use the currently active server. - An attempt will now be made to send anonymous telemetry data to the Posh-ACME team when
Submit-OrderFinalizeis called directly or indirectly.- The only data sent is the standard HTTP User-Agent header which includes the Posh-ACME version, PowerShell version, and generic OS platform (Windows/Linux/MacOS/Unknown).
- This can be disabled per ACME server using a new
DisableTelemetryparameter inSet-PAServer. - The data will be used to guide future development decisions in the module.
- The same User-Agent header is also sent with all calls to the ACME server which is a requirement of the protocol and can't be disabled.
- Added
NoRefreshswitch toSet-PAServerwhich prevents a request to the ACME server to update endpoint and nonce info. This is useful for updating local preferences without making a server round-trip. - BUYPASS_PROD and BUYPASS_TEST are now recognized shortcuts for the the buypass.com CA environments when you use
Set-PAServer. - ZEROSSL_PROD is now a recognized shortcut for the zerossl.com CA when you use
Set-PAServer. - Added tab completion for
DirectoryUrlinSet-PAServer. - Added
Quietparameter toGet-PAServerwhich will prevent warnings if the specified server was not found. Remove-PAServerwill now throw a warning instead of an error if the specified server doesn't exist on disk.- Orders can now be passed by pipeline to
Submit-ChallengeValidationandSubmit-OrderFinalize. - ACME protocol web request details have been moved from Verbose to Debug output and cleaned up so they're easier to follow. Web requests made from plugins will still be in Verbose output for the time being.
- Experimental support for IP address identifiers (RFC 8738) in new orders. This allows you to get a cert for an IP address if your ACME server supports it.
- Private keys for Accounts and Certificates can now use ECC P-521 (secp521r1) based keys using the
ec-521key length parameter. This requires support at the ACME server level as well.
- Function Changes
Publish-DnsChallengeis nowPublish-ChallengeUnpublish-DnsChallengeis nowUnpublish-ChallengeSave-DnsChallengeis nowSave-ChallengeGet-DnsPluginsandGet-DnsPluginHelphave been replaced byGet-PAPluginGet-PAAuthorizationsis nowGet-PAAuthorization. The plural function name is still avaialble as an alias but is deprecated and may be removed in a future release.Invoke-HttpChallengeListeneris deprecated and may be removed in a future release. Users should migrate to theWebSelfHostplugin.
- Parameter Changes
- All
DnsPluginparameters are nowPluginwith aDnsPluginalias for backwards compatibility. The alias should be considered deprecated and may be removed in a future release. - The
NoPrefixswitch in Publish/Unpublish-Challenge has been replaced with aDnsAliasparameter that will override theDomainparameter if specified. "_acme-challenge." will not be automatically added to theDnsAliasparameter. NewKeyhas been removed fromSubmit-RenewalNewKey/NewCertKeyhave been replaced byAlwaysNewKeyinNew-PACertificateandNew-PAOrderAlwaysNewKeyhas been added toSet-PAOrderDnsPlugin,PluginArgs,DnsAlias,DnsSleep,ValidationTimeoutandAccountparameters have been removed fromSubmit-ChallengeValidation. The account associated with the order must be the currently active account. The rest of the parameters are read directly from the order object and can be modified in advance withSet-PAOrderif necessary.Accountparameter has been removed fromSubmit-OrderFinalize. The account associated with the order must be the currently active account.
- All
- Using
Get-PAOrderwith-Refreshwill no longer throw a terminating error if the ACME server returns an error. It will warn and return the cached copy of the order instead. - Fixed
Remove-PAServernot being able to remove a server that is unreachable. Remove-PAServerno longer requires confirmation when there are no cached accounts associated with the specified server in the local config.
- Azure plugin now supports other Azure cloud environments via the
AZEnvironmentparameter. Supported values areAzureCloud(Default),AzureUSGovernment,AzureGermanCloud, andAzureChinaCloud. (#293) (Thanks @InKahootz) - Fixed parameter binding and other bugs in Simply plugin. (#294)
- Added new DNS plugin Simply who recently changed their name from UnoEuro. Existing users of the UnoEuro plugin should migrate to the Simply plugin as soon as possible because the UnoEuro plugin may stop working if they decommission the old API endpoint.
- Warnings have been added to the UnoEuro plugin to inform users about migrating to Simply.
- Updated DNSPod plugin to work with their recent API changes. Existing users will need to generate a new API key from the management console and update the plugin args for their orders. See the usage guide for details.
- Fixed a bug in
New-PAAccountwhen the account location URI had query parameters. (Thanks @KaiWalter)
- Upgraded BouncyCastle to 1.8.8.2 for version parity with Az.KeyVault to prevent module load errors in PowerShell 6+
- Fixed DuckDNS plugin file locations in .NET 4.6 fork.
- Added new DNS plugin DuckDNS. Note that due to provider limitations, this plugin can only normally be used for certs with a single name unless you workaround the limitation with custom scripting. See the usage guide for details.
- Fixed an example in
Export-PAAccountKeyhelp. - Added code to detect 4.x configs and gracefully revert in case folks need to downgrade after upgrading to 4.x when it comes out.
- NOTE: Let's Encrypt is now restricting RSA private key sizes to 2048, 3072, and 4096 for certificates. But Posh-ACME will continue to allow custom key sizes which may still work with other certificate authorities.
New-PAAccountandSet-PAAccount -KeyRollovernow have a-KeyFileparameter that can be used to import an existing private key instead of generating a new one from scratch.- Added
Export-PAAccountKeywhich can be use to export your ACME account private key as a standard Base64 encoded PEM file.- For Boulder-based CAs, this can be used to recover lost ACME account configurations if you run
New-PAAccountwith the-KeyFileparameter and specify the exported key.
- For Boulder-based CAs, this can be used to recover lost ACME account configurations if you run
- Updated Zonomi plugin to support alternative providers who use a compatible API. (#282)
- Fixed a bug in OVH plugin that would prevent TXT record deletion in some cases. (#283)
- Fixed a bug in many plugins that would prevent TXT record editing when the record name was also the zone root (#280) (Thanks @ShaBangBinBash)
- Fixed tutorial syntax error (#277) (Thanks @Leon99)
- Fixed errors in
Get-PAAuthorizationswhen returned object has no 'expires' property. (#276) (Thanks @mortenmw) - Changed bad nonce retry message from Debug to Verbose so people using PowerShell's transcript features will see it more easily.
- A generic platform value has been added to the user agent string the module sends with its ACME requests.
- Tests have been updated for use with Pester v5. Running them in a dedicated PowerShell process is recommended.
- Added new DNS plugin NameSilo (Thanks @rkone)
- Added Preferred Chain support
- There is a new
-PreferredChainparameter onNew-PACertificate,New-PAOrder, andSet-PAOrder. - For new or existing orders, you may select an alternate CA chain based on the Issuing CA subject name if alternate chains are offered by the CA.
- Example:
-PreferredChain 'ISRG Root X1'
- There is a new
- Fixed a bug with
Submit-Renewalthat wasn't properly using-PluginArgsand-NoSkipManualDnsparameters when-AllOrdersor-AllAccountsswitches were also used (#266 #275). (Thanks @f-bader) - deSEC plugin has added retry logic to address API throttling issues for certs with many names (#275).
- Fixed a bug with Azure plugin when using
AZCertPfxauthentication from Windows.
- Fixed Route53 trying to load AWSPowerShell module when not installed (#263)
- Added new DNS plugin DomainOffensive (Thanks @Armitxes)
New-PAAccountnow hasExtAcctKID,ExtAcctHMACKey, andExtAcctAlgorithmparameters to support Certificate Authorities that require external account binding. Look for a guide in the wiki soon.- Added support for the new AWS.Tools modules when using Route53.
- Added support for more restricted API permissions when using OVH. It's now possible to only grant write access to a specific list of zones or even individual TXT records. See the usage guide for details.
- Added pre-registration support for AcmeDns. See the usage guide for details.
- Fixed a bug with GoDaddy that prevented managing DNS-only hosted domains.
- Added new DNS plugin Hetzner (Thanks @derguterat)
- Fix for Google DNS plugin to ignore private zones. (Thanks @timwsuqld)
- Fix for Azure usage guide for using existing access token. (Thanks @arestarh)
- Fix for RFC2136 plugin which makes it usable for records other than the root domain.
- Added new DNS plugins
- Akamai
- DNSPod (Thanks @WiZaRd31337)
- Loopia
- PointDNS (Thanks @danielsen)
- Reg.ru (Thanks @WiZaRd31337)
- RFC2136
- Selectel.ru (Thanks @WiZaRd31337)
- Yandex (Thanks @WiZaRd31337)
- When creating a new order, chain.cer and fullchain.cer are now backed up along with the other files.
- Added a workaround for non-compliant ACME server Nexus CM (#227)
- Various usage guide corrections. (Thanks @webprofusion-chrisc)
- Fixed a bug where New-PACertificate required the
-Forceparameter if the previous order was deactivated. - Fixed the dev install script to account for a redirected Documents folder.
- Minor changes to how Gandi plugin works to address potential edge case bugs.
Set-PAOrdernow has-DnsPluginand-PluginArgsparameters to allow changing plugins and associated credentials prior to a renewal operation.- Upgraded BouncyCastle library to version 1.8.5.2 and renamed the DLL to avoid conflicts with older copies that may get installed into the .NET GAC by other software.
- ACME server errors returned during calls to
Revoke-PAAuthorizationare now non-terminating errors rather than warnings. - Fixed bug where new orders created with
New-PACertificateand no explicit plugin wouldn't get the Manual default if the account was already authorized for the included names. - Fixed
Get-PAAuthorizationswhen using explicit account reference - Fixed datetime parsing issues on non-US culture environments (#208)
- Fixed errors thrown by
Submit-Renewalwhen run against an order with a null DnsPlugin. A warning is now thrown instead. - Fixed parameter binding error when using
-PluginArgswithSubmit-Renewal - Fixed HurricanElectric guide's parameter references
- Fixed Azure tests
- Added
Revoke-PAAuthorizationwhich enables revocation of identifier authorizations associated with an account. Get-PAAuthorizationsnow has an optional -Account parameter and better error handling.Get-PAAuthorizationhas been added as an alias forGet-PAAuthorizationsto better comply with PowerShell naming standards. It will likely be formally renamed in version 4.x and the old name should be considered deprecated. This change should allow dependent scripts to prepare for that change in advance.Install-PACertificatenow supports parameters to select the store name, location, and the exportable flag.- Workaround for Boulder issue that doesn't return JSON error bodies for old endpoints.
- Fixed bug creating new orders with a changed KeyLength value that was preventing the required new private key from being created.
- Added new DNS plugin HurricaneElectric
- Azure plugin now supports certificate based authentication. See the plugin guide for details. (#190)
- Setup examples in the Azure plugin guide now utilize the Az module rather than the legacy AzureRm.* modules. (#189)
- Fix for "No order for ID" errors caused by recent Boulder changes that no longer return order details for expired orders. (#192)
- Fixed being unable to switch active orders if an error occurred trying to refresh the order details from the ACME server.
- Added additional guidance on renewals and deployment to the tutorial.
- Added new DNS plugin UnoEuro (Thanks @OrKarstoft)
- Fix for Cloudflare plugin not working properly when limited scope token didn't have at least read permissions to all zones on an account. To use an edit token with limited zone permissions, you must now also specify a secondary token with read permissions to all zones. See the plugin guide for details. (#184)
- Fix for PropertyNotFound exception when imported plugin data is null or not the expected hashtable value (#182)
Set-PAOrdernow supports modifying some order properties such as FriendlyName, PfxPass, and the Install switch that don't require generating a new ACME order. FriendlyName or PfxPass changes will regenerate the current PFX files with the new value(s) if they exist. Changes to the Install switch will only affect future renewals.- Fixed FriendlyName, PfxPass, and Install parameters not applying when calling
New-PACertificateagainst an existing order (#178) - Fixed GoDaddy plugin so it doesn't fail on large accounts (100+ domains) (#179)
- Updated Cloudflare plugin to workaround API bug with limited scope tokens (#176)
- Fixed DnsSleep and ValidationTimout being null when manually creating an order with
New-PAOrderand finishing it withNew-PACertificate. - Added parameter help for -NewKey on
New-PAOrderwhich was missing. - When using
New-PACertificateagainst an already completed order that is not ready for renewal, the informational message has been changed to Warning from Verbose to make it more apparent that nothing was done. - Updated
instdev.ps1so it still works when the BouncyCastle DLL is locked and $ErrorActionPreference is set to Stop. - Updated a bunch of plugin guides with info regarding PowerShell 6.2's fix for the SecureString serialization bug and enabling the use of secure parameter sets on non-Windows.
- Submit-Renewal now has a PluginArgs parameter to make it easier to update plugin credentials without needing to create a new order from scratch. (Thanks @matt-FFFFFF)
- The FriendlyName parameter in New-PACertificate and New-PAOrder now defaults to the certificate's primary name instead of an empty string to avoid a Windows bug that can occur when installing the generated PFX files.
- Fixed Windows plugin issue when using WinZoneScope and not all zones have that scope (#168)
- Fixed an internal bug with Export-PACertFiles that luckily didn't cause problems due to PowerShell variable scoping rules.
- Fixed a typo in the Cloudflare guide examples. (Thanks @mccanney)
- Added new DNS plugins
- Domeneshop (Thanks @ornulfn)
- Dreamhost (Thanks @jhendricks123)
- EasyDNS (Thanks @abrysiuk)
- FreeDNS (afraid.org)
- Added
Invoke-HttpChallengeListenerfunction (Thanks @soltroy). This runs a self-hosted web server that can answer HTTP challenges. Look for a wiki usage guide soon. - Added
Remove-PAServerfunction. Warning: This deletes all data (accounts, orders, certs) associated with an ACME server. - Added
Install-PACertificatefunction. This can be used to manually import a cert to the Windows cert store. (#159) - Added support for Cloudflare's new limited access API Tokens. See usage guide for details.
- Added support for propagation polling with ClouDNS plugin. See usage guide for details.
- Fixed edge case zone finding bug with ClouDNS plugin.
- Fixed DOcean (Digital Ocean) plugin which broke because they now enforce a 30 sec TTL minimum on record creation.
- Fixed overly aggressive error trapping in OVH plugin. (#162)
- Fixed a typo in the OVH plugin usage guide.
- Fixed SkipCertificateCheck is no longer ignored when passing a PAServer object via pipeline to Set-PAServer.
- Fixed
Submit-ChallengeValidationno longer tries to sleep when DnsSleep = 0. - Some internal refactoring.
- Added new DNS plugin for Simple DNS Plus (#149) (Thanks @alphaz18)
- Changed a bunch of "-ErrorAction SilentlyContinue" references to "Ignore" so we're not filling the $Error collection with junk.
- Fix for Boulder removing ID field from new account output.
- Fixed an issue in a number of plugins that could cause errors if the case of the requested record didn't match the server's zone case. (Thanks @Makr91)
- Fixed a bug with the Route53 plugin when used on PowerShell Core without the AwsPowerShell module installed.
- Fixed some typos in the OVH plugin usage guide examples (#147)
- Added new DNS plugin for OVH (#79)
- Added ZoneScope support to Windows plugin (#134) (Thanks @dawe78)
- Fixed issue #139 with GCloud plugin prompting for GCKeyFile after upgrading to 3.3.0. Users affected by this issue will need to submit a new cert request to re-establish the GCloud plugin config.
- Fixed issue #140 with AcmeDns plugin losing registration data after upgrading to 3.3.0. Users affected by this issue will need to submit a new cert request to re-establish the AcmeDns plugin config and it will likely involve updating any CNAME records currently in use.
- Route53 plugin now has IAM Role support if you're running Posh-ACME from within AWS. See plugin usage guide for details (#128)
- Dynu plugin migrated to v2 of the Dynu API
- Fixed DNSPlugin and DNSAlias arrays not getting expanded properly when the number of names in the cert didn't match the values in those arrays.
- Fixed validation bugs when using SAN certs with challenge aliases or multiple different plugins (#127) (Thanks @whbingham)
- Revamped serialization/deserialization for plugin arguments which should prevent accidentally creating parameter binding conflicts when switching between parameter sets for a particular plugin (#129).
- Fix #122 to make sure private keys are imported properly when using
-Install - Improve error handling for duplicate public zones in Azure. (#125)
- Add tag based workaround for duplicate public zones in Azure. (#125)
- Added new DNS plugin for name.com registrar (Thanks @ravensorb)
- Added additional argument completers for Account IDs, MainDomain, and KeyLength parameters
- The Posh-ACME config location can now be set by creating a
POSHACME_HOMEenvironment variable. The directory must exist and be accessible prior to importing the module. If you change the value of the environment variable, you need to re-import the module with-Forceor open a new PowerShell session for the change to take effect. - Added better error handling for cases where the config location is not writable.
- Get-PACertificate now returns null instead of throwing an error if the cert or associated order doesn't exist
- Fixed the ability to revoke a certificate after the associated order has expired
- Fix for #117 involving broken renewal processing on PowerShell Core in non-US locales
- Fixes for additional DateTime handling on PowerShell Core
- Fixed typo in Route53 plugin that prevented finding the AwsPowershell module
- The following plugins have added non-Windows OS support or extended their existing support. Check the plugin guides for details.
- Azure
- DNSimple
- Infoblox
- Linode
- LuaDns
- NS1
- Route53
- Route53 plugin no longer requires AwsPowershell module when used with explicit keys. It will still use the module if it's installed.
- Added tab completion for plugin names with
Get-DnsPluginHelp - Fix #112 for Azure and errors with private zones and subscriptions with more than 100 zones
- Fix for #110
Submit-Renewalwith -AllOrders or -AllAccounts fails to renew orders with invalid status. (Thanks @jeffmnall!) - Fix for #109
New-PACertificatethrows an error if -DnsPlugin is not specified rather than defaulting to Manual. (Thanks @TiloGit!) - Fix internal BouncyCastle to .NET private key conversions where key parameters may need padding. (Thanks @alexzorin and @webprofusion-chrisc!)
- Potentially breaking changes
- Many ACME protocol messages that previously used GET requests have been changed to POST-as-GET to comply with the latest ACME draft-16. Let's Encrypt already supports the new draft, but other ACME servers may not yet.
CertIssueTimeoutparam was removed fromNew-PACertificateandSubmit-OrderFinalizebecause it wasn't actually being used properly in the former and doesn't seem necessary anymore.
- New Feature: Generate certs from an existing certificate request which can be useful for appliances that generate their own keys and CSRs. (Thanks @virot)
- New
CSRPathparameter onNew-PACertificateandNew-PAOrderthat removes the need forDomain,CertKeyLength,NewCertKey,OCSPMustStaple,FriendlyName,PfxPass, andInstallparameters when used. Most values will be extracted from the CSR. - Certs generated using this method will not have PFX files created because there is no private key.
- Certs generated using this method can not be automatically installed to the Windows cert store because there are no PFX files.
- New
Get-KeyAuthorizationnow hasForDNSparameter which returns the actual TXT value necessary for the dns-01 challenge. (Thanks @chandan1001)- Added new DNS plugins
- IBMSoftLayer (IBM Cloud DNS)
- AutoDNS (InternetX XML Gateway)
- Fix for some validation params not getting set properly on new instances of old orders
- Fix for Windows plugin not using
$dnsParamsappropriately (Thanks @B4dM4n)
- Fix (#94) for TXT record cleanup bug when some domains were already validated (Thanks @philr!)
- Fix (#95) error handling in New-PACertificate and New-PAOrder that would mistakenly cause new orders to be created if there were problems checking old orders. (Thanks @philr!)
- Azure fix (#96) to allow special characters in credentials. (Thanks @philr!)
- Route53 fix for errors caused by public/private zones with same name (#100) (Thanks @spaceygithub!)
- Added new DNS plugins
- BlueCat (Thanks @marshallford)
- Gandi
- Updated DMEasy plugin to support non-Windows
- Added new DNS plugins
- Aliyun (Alibaba Cloud)
- DeSEC (Thanks @nazar554)
- Fix for type error when using OCSP Must-Staple (Thanks @casselc)
- Parameter binding bug fixes for Azure and Windows plugins (Thanks @mithrandyr)
- Removed ACMEv2 draft-12 support for account key rollover. No known CAs are still implementing draft-12.
- Fix for issue #53 with GoDaddy plugin not being able to remove TXT records in some cases. Thanks @davehope!
- Performance and efficiency improvements with GoDaddy plugin
- Fixed Get-PACertificate -List only showing certs from 'valid' orders.
- Added new DNS plugin ClouDNS
- Added ACMEv2 draft-13 support for account key rollover. This is an interim fix that should still work with draft-12 as well. Once Let's Encrypt goes into production with draft-13, the draft-12 support will be removed.
- .NET version check now throws a warning instead of error on module load
- Fixed Get-PAAccount not filtering contacts correctly
- Minor fix and help correction in Namecheap plugin
- Get-PAAccount and Get-PAOrder now return null instead of an error if an invalid account or order was specified. (Thanks for the idea @maybe-hello-world)
- Added additional functions that should make it easier to manually respond to challenges. In particular, this should allow people to use the HTTP challenge until a formal HTTP challenge plugin solution is introduced. (Thanks John B. for the idea!)
Get-KeyAuthorizationcalculate a key authorization string for a challenge token.Send-ChallengeAcknotifies the ACME server to proceed validating a challenge.- The output object on
Get-PAAuthorizationsnow contains top level attributes relating to the HTTP challenge (in addition to the existing DNS challenge).
- Added new DNS plugins
- Namecheap
- Rackspace
- Migrated all internal DateTime handling to use DateTimeOffset which is less finicky across time zones for the types of comparisons generally being performed.
- Added new DNS plugin Dynu. (Thanks @alexzorin!)
- Added additional Azure plugin authentication options including explicit access token and Instance Metadata Service support. See plugin readme for details. (Thanks @perbergland!)
- Added an explicit .NET 4.7.1 version check on module load when running Windows PowerShell (Desktop edition) since the module manifest didn't seem to be enforcing it. This will throw an error if you try to import the module without at least .NET 4.7.1 installed and hopefully prevent bug reports due to insufficient .NET versions.
- Fixed bug with GoDaddy plugin (#50) that prevented using names in sub-domains. (Thanks @davehope!)
- Fixed bug with Azure plugin (#57) incorrectly evaluating token expiration. (Thanks @Cavorter!)
- Fixed bug (#60) that would cause some order parameters to appear to get wiped when renewing or creating a new order whose names had already been validated. (Thanks for the tip @hutch120!)
- Various readme tweaks
- Added new DNS plugin Linode
- Added tab completion for
Pluginparam onPublish/Unpublish/Save-DnsChallenge - Fixed bug renewing orders with status invalid (which happens when the order expires even if the cert is still valid)
- Fixed bug in
New-PACertificatethat wasn't using explicitDnsSleepandValidationTimeoutparameters when an old order existed for the same primary name.
- Added new DNS plugins
- DNSimple
- LuaDns
- NS1
- Challenge validation errors will now show the detailed error message provided by the ACME server
- Get-PAAuthorization will now throw a warning instead of errors for expired authorizations
- Fixed bug with Infoblox plugin
- Fixed error with Get-PACertificate on orders created prior to 2.0
- Misc fixes for plugin help details
- Added cross platform PowerShell Core support!
- Some DNS plugins don't work yet on non-Windows due to known issue handling SecureString PowerShell Core 6.0. Check details on the project wiki.
-Installparam onNew-PACertificatethrows error on non-Windows because there's no certificate store to install to.Windowsplugin doesn't work in Core at all yet due to lack of Core compatible DnsServer module.
- Added new DNS plugin Zonomi. Thanks @Zippy79!
- Fix for GCloud plugin syntax error
- Added account key rollover support. Use -KeyRollover switch in Set-PAAccount.
- Added PfxPass (SecureString) to Get-PACertificate output
- Added new DNS plugins
- DMEasy (DNS Made Easy)
- GoDaddy. Thanks @Rukas!
- All calls to Invoke-WebRequest and Invoke-RestMethod now use -UseBasicParsing to avoid issues with PowerShell using Internet Explorer's DOM parser. Thanks @Rukas!
- Fixed hard coded cert store paths in Import-PfxCertInternal
- Fixed tests for New-Jws
- Fix for PluginArgs not being passed to Submit-ChallengeValidation. Thanks @juliansiebert!
- Fix for Azure plugin when multiple zones are in a subscription. Thanks @juliansiebert!
- Potentially Breaking Changes
- New-PACertificate now outputs certificate details to the pipeline which should aid automation
- New-PACertificate now reuses all previous order params (for the same MainDomain) when not explicitly specified
- All generated PFX files now have 'poshacme' as the default password to address compatibility issues with other tools
- New-PACertificate now generates fullchain.pfx in addition to cert.pfx
- Added optional parameters to New-PACertificate
-FriendlyNamesets Friendly Name when imported into Windows certificate store-PfxPassoverrides the default password for generated PFX files-Installswitch imports fullchain.pfx to Windows certificate store. Requires elevation
- Added new DNS plugins
- DOcean (Digital Ocean)
- Cloudflare. Thanks @rian-hout!
- Added Get-PACertificate which returns certificate details
- Added usage guides for most DNS plugins
- Added progress bar while waiting for DNS changes to propagate
- Old csr and chain files are no longer backed up when creating a new order
- Manual plugin now displays all records to create with one prompt
- Fixed AcmeDns plugin issue where CNAMEs would display twice user Ctrl-C from prompt
- Bugfix for Azure plugin (#17). Thanks @juliansiebert!
- New-PACertificate will no longer redownload certs when run with same arguments (#9)
- Added tab completion for -DnsPlugin parameter
- Added new DNS plugins
- Acme-Dns
- Azure
- GCloud (Google Cloud)
- Windows
- Initial Release
- Added functions
- Get-DnsPluginHelp
- Get-DnsPlugins
- Get-PAAccount
- Get-PAAuthorizations
- Get-PAOrder
- Get-PAServer
- New-PAAccount
- New-PACertificate
- New-PAOrder
- Publish-DnsChallenge
- Remove-PAAccount
- Remove-PAOrder
- Save-DnsChallenge
- Set-PAAccount
- Set-PAOrder
- Set-PAServer
- Submit-ChallengeValidation
- Submit-OrderFinalize
- Submit-Renewal
- Unpublish-DnsChallenge