Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
#requires -version 4
Gets the current Let's Encrypt certificate by domain from the given opnSense-Firewall via SCP.
Sync-Cert connects to the given opnSense-Router via SCP. It pulls the Let's encrypt certificate and key for the given domain name, based on the common name
into the local working directory. Afterwards it uses OpenSSL to convert the .cer and .key files to create a new .pfx file which can be used in Exchange and IIS.
Domain of the certificate to get from the firewall
Hostname or IP of the opnSense-Firewall
Port of the opnSense-Firewall (Default: 22)
Filename of SSH-Keyfile to use for the secure connection to the firewall
If not using a keyfile, the username to connect with to the firewall (Default: root)
If not using a keyfile, the password to connect with to the firewall
.PARAMETER CertificatePassword
Password used by OpenSSL to protect the created .pfx certificate
If defined, .pfx file will be named by the content of Out, otherwise it will be named by the given domain name
If defined, temporary files and final .pfx will be put in this directory, otherwise the working directory is used
Name of .pfx certificate file
Version: 1.1
Author: Maximilian
Creation Date: 2018-10-26
Purpose/Change: Initial script development
Sync-Cert -Domain -Router -SCPUsername user4scp -SCPPassword password4scp -CertificatePassword password4certificate
#---------------------------------------------------------[Script Parameters]------------------------------------------------------
Param (
[Parameter(Mandatory = $true)][string]$CertificateDomain,
[Parameter(Mandatory = $true)][string]$Router,
[Parameter(Mandatory = $false)][int]$Port = 22,
[Parameter(Mandatory = $false)][string]$Keyfile,
[Parameter(Mandatory = $false)][string]$SCPUsername = "root",
[Parameter(Mandatory = $false)][string]$SCPPassword,
[Parameter(Mandatory = $false)][string]$CertificatePassword,
[Parameter(Mandatory = $false)][string]$Out,
[Parameter(Mandatory = $false)][string]$Path
#Set Error Action to Silently Continue
#$ErrorActionPreference = "SilentlyContinue"
# Set Error Action to Continue
$ErrorActionPreference = "Continue"
# Remote path of acme-client
$RemoteCertPath = "/var/etc/acme-client/home/$($CertificateDomain)"
# Setting the output directory
if ($Path) {
$Directory = $Path
$FullPath = $Path
} else {
$Directory = "."
$FullPath = Get-Location
# Setting the output filename
if ($Out) {
$Outputfile = "$($Directory)\$($Out).pfx"
} else {
$Outputfile = "$($Directory)\$($CertificateDomain).pfx"
#Dot Source required Function Libraries
#Import Modules & Snap-ins
Import-Module Posh-SSH
Function Get-CertificateFromOpnSense {
Param ()
Begin {
$SCPPWord = ConvertTo-SecureString -AsPlainText $SCPPassword -Force
$Credentials = New-Object System.Management.Automation.PSCredential ($SCPUsername, $SCPPWord)
Process {
try {
# Connect to opnSense
if ($Keyfile) {
# via Keyfile
$opnsense = New-SFTPSession -ComputerName $Router -Port $Port -KeyFile $Keyfile
} else {
# via username and password
$opnsense = New-SFTPSession -ComputerName $Router -Port $Port -Credential $Credentials
# Change remote path to /var/etc/acme-client/home/$CertificateDomain
Set-SFTPLocation -SFTPSession $opnsense -Path $RemoteCertPath
# Get both certificate files, fullchain and the key
Get-SFTPFile -SFTPSession $opnsense -LocalPath $Directory -RemoteFile "fullchain.cer"
Get-SFTPFile -SFTPSession $opnsense -LocalPath $Directory -RemoteFile "$($CertificateDomain).key"
# Setting environment variable for OpenSSL, needed for quiet output
# Convert .cer and .key files to a .pfx file
$SSLOutput = [string] (& openssl.exe pkcs12 -export -inkey "$($Directory)\$($CertificateDomain).key" -in "$($Directory)\fullchain.cer" -out $Outputfile -password pass:$CertificatePassword)
# Remove .cer and .key files
Remove-Item "$($Directory)\fullchain.cer"
Remove-Item "$($Directory)\$($CertificateDomain).key"
# Close SFTP session
Remove-SFTPSession -SFTPSession $opnsense | Out-Null
return $Outputfile
catch {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment