The Let's Encrypt open certificate authority ensures that the internet is no longer transmitted in plaintext. It issues digital certificates for free, and the service is completely automated in the right circumstances.Let\u2019s Encrypt is fully automated in most instances. In Windows, for example, you can automatically issue certificates from Let\u2019s Encrypt using PowerShell and AWS. Robert PearmanIssued certificateIf you\u2019ve followed the steps outlined in the linked article from the previous sentence, you can then configure Azure Automation to handle the creation, validation and installation of a certificate on a firewall. Here\u2019s what you need to do.Log into your Azure portal. Click on \u201cCreate a Resource\u201d and search for Azure Automation. Robert PearmanAdd Azure AutomationYou will need to enter information about the Automation account including the location it will run (Azure Datacenter geographic location) and the resource group. In a separate browser window, go to PowerShell Gallery. Search for \u201cPosh-ACME\u201d. In the results, select \u201cPosh-ACME\u201d and click on \u201cAzure Automation\u201d under \u201cInstallation Options\u201d. Click on \u201cDeploy to Azure Automation\u201d. Robert PearmanDeploy to Azure AutomationIt will ask you which Automation account to import into. Choose the one created in the previous step, then click \u201cOK\u201d. It may take a few minutes to import. Repeat this process for AwsPowerShell and Posh-SSH, making sure each deployment completes before moving to the next.Create credential objectsNow you will create some credential objects, which are a way to securely store credentials in Azure Automation for use in run books. Under \u201cShared Resources\u201d, click on \u201cCredentials\u201d. Click on \u201cAdd a Credential\u201d. Robert PearmanModules galleryThe name you enter is a descriptive name you will call in the run book, so make sure it is descriptive enough that you know what it does. I am creating a credential object to store my AWS Route53 IAM credentials. Robert PearmanAdd a credentialI am also repeating the process to create credentials for the Fortinet router I want to connect to later.Create a runbookNext, you will create a runbook. Under \u201cProcess Automation\u201d select \u201cRunbook\u201d and click on \u201cCreate a runbook\u201d. You need to enter a runbook name, choose the type, which should be PowerShell, and then click on \u201cCreate\u201d. A runbook is essentially an instance of a PowerShell task. Robert PearmanCreate a runbookOnce the runbook is created, you are entered into the Runbook editor, which is a page where you can edit your PowerShell code. First, you define some parameters, which you will need to request the certificate. Those are:LE_SERVERDomainChallenge DomainContactAWSCredentialThe LE_Server can either be \u201cStage\u201d or \u201cProduction\u201d. The staging server is used for testing and allows you to request many certificates issued by a non-browser trusted certificate authority compared to the production, which issues browser-trusted certificates but is limited to a number of requests per week.The domain is the common name (cn) you want your certificate to be issued for. The challenge domain is the fully qualified domain name (FQDN) of the cname record created in the article on using Let\u2019s Encrypt with PowerShell and AWS. Contact is the email address you are using for notifications about the certificate. AWSCredential is the name of the credential object you stored our IAM credentials in. Robert PearmanRunbook request certificateYou can click on \u201cTest Pane\u201d to do a test run of the code. The Azure portal reads your code and prompts you to enter the parameters you specified in the runbook. Robert PearmanClick on "Test Pane" to run a check on the codeWhen you have filled out the parameters, you can click on \u201cStart\u201d, and Azure Automation will queue and run your runbook.As the LE Challenge takes 120 seconds, you will need to wait for the outcome. Why not have a coffee and come back. Once the test completes the display automatically refreshes and you should see the certificate has been issued. Robert PearmanTest runbook resultYou will also notice the path information relating to the certificate files. In my testing this path changes each time a certificate is requested, which differs slightly to how Posh-ACME runs on a standard desktop. You can work around that potential issue by doing the following:Once you are happy that it is issuing your certificates, add a schedule to make this runbook reoccur.Choose to publish your runbook and exit the editor. You need to go back to the main automation account dashboard to define a schedule.Under \u201cShared Resources\u201d, go to schedules. Click \u201cAdd a schedule\u201d.Enter a name, a start time and the recurrence pattern. It should be easy enough to follow this through. I have created a recurring schedule for every 60 days. Robert PearmanCreating a 60-day recurring scheduleGo back into the runbook and we can now choose to add a schedule. You can also define the parameters the runbook will use on this schedule. Robert PearmanSchedule runbookYou now have Azure Automation getting your Let\u2019s Encrypt certificates for you, but not much else.Connecting your routerI'm moving on now and editing my runbook to connect to a router and add a new certificate for the web management portal. For this I will use the Posh-SSH module. These steps are specific to a Fortinet router (at OS 5.6.2 or higher), so if you have another brand the next step won't be something you can follow along with. However, it may be enough guidance to adapt it to your own hardware as long as you have SSH access.Connecting to your Fortinet via SSH is probably something you are familiar with, adding certificates via SSH possibly not. The commands to add a certificate are straightforward:Config vpn certificate localEdit "my new certificate"Set comments "my certificate valid until June"Set password passwordSet private key "private key text"Set certificate "certificate text"EndYou can copy and paste the values for the private key and certificate straight out of their corresponding files, but you must retain the formatting. The content also must be encapsulated in quotes. Robert PearmanCopy and paste private key and certificate valuesTo this end I created two functions, which may not be required if you know how to wrap quotes around a portion of text, but for me it was needed. The functions simply add a quote to the beginning and end of the content of the key or cert file if it is the first or last line. Robert PearmanFunction to add quotation marksTo retain the formatting, you need to do some other magic: converting carriage returns to new lines. You are also going to add in a few more tweaks to make things easier on the Fortinet hardware. This allows you to quickly identify a certificate on the Fortinet router if you need to manage them. Robert Pearman Robert Pearman Robert Pearman Robert PearmanRetaining formatting and tweaks for the Fortinet hardwareThen add the commands you will run in SSH and store those in a variable $command. Finally, add code to connect to the Fortinet router and send a $command. You will notice I am using more parameters here, so you will need to add those at the top of the script. Robert PearmanAdding parameters at the top of the script Robert PearmanAdd SSH $commandsYou can then move all that code inside a try\/catch section and test it out. All being well, you will see something similar to the following. If you also log into your Fortinet router, you will see the certificate is installed. If you are using the SSL VPN feature and want to wrap in updating the certificate there as well simply add this to your $command. Robert PearmanCode moved inside a try\/catch sessionOnce you are happy you have the runbook working as desired, you can switch from LE_Stage to LE_Prod and issue your first fully automated certificate. Robert PearmanSSH certificate installedI know what you\u2019re thinking: Why did I do this? My reasons are threefold.No browser warnings when managing devicesLess admin overhead on certificate managementIt\u2019s coolI could probably add a fourth, which is the Let\u2019s Encrypt certificates are free, but that\u2019s obvious.The example I have written about may be an edge case. However, as someone said to me when I mentioned what I was doing, \u201cSome people need inspiration to figure out how they are going to use this stuff.\u201d So, while you may not be configuring a Fortinet router, I hope this inspires you to use Azure Automation to do\u2026 something!