anyone know how to automate Letsencrypt for older version 11 that requires .cer output
Question asked by Andy Paluch - 6/17/2020 at 6:51 AM
I have letsencrypt working on a legacy Smartermail 11 server but having issues automating the renewal of the .cer file. Some scripts I found tell you how to use Powershell to export a pfx file needed by newer versions of Smartermail, but 11 needs the format to be .cer and I can not find a script that will extract that from the Letsencrypt cert so I can use it for ports 993,995, and 465

Doing it manually works, but i would like to automate it so I don't have to remember to do it manually every 3 months. If anyone could point me to a link I would be very grateful.


5 Replies

Reply to Thread
Steve Norton Replied
Try the following, this will create a DER format certificate. Let me know if 11 is okay with that;
$Password = Read-Host -AsSecureString
$Pfx = "C:\SmarterMail\certificate.pfx"
$Cer = "C:\SmarterMail\certificate.cer"
Export-Certificate -Type CERT -Cert ([System.Security.Cryptography.X509Certificates.X509Certificate2]::new($Pfx, $Password, "Exportable,PersistKeySet,MachineKeySet")) -FilePath $Cer

You can then use the following to securely script the export (this is securely tied to the user that creates the converted secure string);
$ConvertedSecureString = ConvertFrom-SecureString $Password
The HEX from $ConvertedSecureString can be added to your script e.g.
$ConvertedSecureString = e3f5a7b3................
$Password = ConvertTo-SecureString -string $ConvertedSecureString
The 2 lines above replaced the Read-Host line in the first set of commands.

Let me know how you get on,
Andy Paluch Replied
  Thanks for trying to help. Not very good at the whole powershell thing but I did create a file with the contents of the script you posted that ended with -FilePath $Cer

Ran the script and it just sits with the cursor blinking. Couple of questions I have about the variable $Pfx. Is this file created manually like from SSL.msc and then the variable points to it? Where  is the script getting the  certificate info from? May be too much of a noob to understand how its working.

Andy Paluch Replied
Marked As Answer
My server is a 2008 R2 and the Certficate cmdlet is not part of that OS

Found another example that will work with Windows 7 and 2008 Server and it works for me. Thanks for getting me pointed in the right direction

You can use following command to export certificate on your window 7 machine:
# command to list the all the certificate in your personal store and help you get the thumbprint you need
Get-ChildItem cert:\LocalMachine\My

$CertToExport = dir cert:\LocalMachine\My | where {$_.ThumbPrint -eq "Copy the thumbprint of the cert you wanted to export"}

# Export The Targeted Cert In Bytes For The CER format
$CertToExportInBytesForCERFile = $CertToExport.export("Cert")

# Write The Files Based Upon The Exported Bytes
[system.IO.file]::WriteAllBytes("C:\Temp\CertToExportCERFile.CER", $CertToExportInBytesForCERFile)
Steve Norton Replied

Glad to hear you've made progress. In answer to your questions and for anyone reading this in the future;
1. The 'cursor blinking' is Read-Host waiting for the password to be entered if you are not using the ISE (using '$Password = Read-Host -Prompt "Enter PFX password" -AsSecureString' would have helped here)
2. The Pfx variable is to point at the PFX file that should be created as part of the Let's Encrypt process
3. To get the latest version of PowerShell on older operating systems, install the latest 'Windows Management Framework' package e.g. https://www.microsoft.com/en-us/download/details.aspx?id=54616

Andy Paluch Replied
Quick update about the solution I mentioned. The ThumbPrint for the LetsEncrypt cert changes at every renewal
Instead of using:

$CertToExport = dir cert:\LocalMachine\My | where {$_.ThumbPrint -eq "Copy the Thumbprinbt of the cert you wanted to export"}

use this instead:

$CertToExport = dir cert:\LocalMachine\My | where {$_.Subject -eq "CN=sslmail.acme.net"}

Reply to Thread