Use Azure Automation with the Let's Encrypt free certificate authority to create, validate and install certificates on a firewall. Credit: KrulUA / GettyImages The Let’s Encrypt open certificate authority ensures that the internet is no longer transmitted in plaintext. It issues digital certificates for free, and the service is completely automated in the right circumstances.Let’s Encrypt is fully automated in most instances. In Windows, for example, you can automatically issue certificates from Let’s Encrypt using PowerShell and AWS. Robert PearmanIssued certificateIf you’ve followed the steps outlined in the linked article from the previous sentence, you can then configure Azure Automation to handle the creation, validation and installation of a certificate on a firewall. Here’s what you need to do.Log into your Azure portal. Click on “Create a Resource” and search for Azure Automation. Robert PearmanAdd Azure AutomationYou will need to enter information about the Automation account including the location it will run (Azure Datacenter geographic location) and the resource group. In a separate browser window, go to PowerShell Gallery. Search for “Posh-ACME”. In the results, select “Posh-ACME” and click on “Azure Automation” under “Installation Options”. Click on “Deploy to Azure Automation”. Robert PearmanDeploy to Azure AutomationIt will ask you which Automation account to import into. Choose the one created in the previous step, then click “OK”. It may take a few minutes to import. Repeat this process for AwsPowerShell and Posh-SSH, making sure each deployment completes before moving to the next. Create credential objectsNow you will create some credential objects, which are a way to securely store credentials in Azure Automation for use in run books. Under “Shared Resources”, click on “Credentials”. Click on “Add a Credential”. Robert PearmanModules galleryThe name you enter is a descriptive name you will call in the run book, so make sure it is descriptive enough that you know what it does. I am creating a credential object to store my AWS Route53 IAM credentials. Robert PearmanAdd a credentialI am also repeating the process to create credentials for the Fortinet router I want to connect to later.Create a runbookNext, you will create a runbook. Under “Process Automation” select “Runbook” and click on “Create a runbook”. You need to enter a runbook name, choose the type, which should be PowerShell, and then click on “Create”. A runbook is essentially an instance of a PowerShell task. Robert PearmanCreate a runbookOnce the runbook is created, you are entered into the Runbook editor, which is a page where you can edit your PowerShell code. First, you define some parameters, which you will need to request the certificate. Those are:LE_SERVERDomainChallenge DomainContactAWSCredentialThe LE_Server can either be “Stage” or “Production”. The staging server is used for testing and allows you to request many certificates issued by a non-browser trusted certificate authority compared to the production, which issues browser-trusted certificates but is limited to a number of requests per week. The domain is the common name (cn) you want your certificate to be issued for. The challenge domain is the fully qualified domain name (FQDN) of the cname record created in the article on using Let’s Encrypt with PowerShell and AWS. Contact is the email address you are using for notifications about the certificate. AWSCredential is the name of the credential object you stored our IAM credentials in. Robert PearmanRunbook request certificateYou can click on “Test Pane” to do a test run of the code. The Azure portal reads your code and prompts you to enter the parameters you specified in the runbook. Robert PearmanClick on “Test Pane” to run a check on the codeWhen you have filled out the parameters, you can click on “Start”, and Azure Automation will queue and run your runbook.As the LE Challenge takes 120 seconds, you will need to wait for the outcome. Why not have a coffee and come back. Once the test completes the display automatically refreshes and you should see the certificate has been issued. Robert PearmanTest runbook resultYou will also notice the path information relating to the certificate files. In my testing this path changes each time a certificate is requested, which differs slightly to how Posh-ACME runs on a standard desktop. You can work around that potential issue by doing the following:Once you are happy that it is issuing your certificates, add a schedule to make this runbook reoccur.Choose to publish your runbook and exit the editor. You need to go back to the main automation account dashboard to define a schedule.Under “Shared Resources”, go to schedules. Click “Add a schedule”.Enter a name, a start time and the recurrence pattern. It should be easy enough to follow this through. I have created a recurring schedule for every 60 days. Robert PearmanCreating a 60-day recurring scheduleGo back into the runbook and we can now choose to add a schedule. You can also define the parameters the runbook will use on this schedule. Robert PearmanSchedule runbookYou now have Azure Automation getting your Let’s Encrypt certificates for you, but not much else.Connecting your routerI’m moving on now and editing my runbook to connect to a router and add a new certificate for the web management portal. For this I will use the Posh-SSH module. These steps are specific to a Fortinet router (at OS 5.6.2 or higher), so if you have another brand the next step won’t be something you can follow along with. However, it may be enough guidance to adapt it to your own hardware as long as you have SSH access.Connecting to your Fortinet via SSH is probably something you are familiar with, adding certificates via SSH possibly not. The commands to add a certificate are straightforward:Config vpn certificate localEdit "my new certificate"Set comments "my certificate valid until June"Set password passwordSet private key "private key text"Set certificate "certificate text"EndYou can copy and paste the values for the private key and certificate straight out of their corresponding files, but you must retain the formatting. The content also must be encapsulated in quotes. Robert PearmanCopy and paste private key and certificate valuesTo this end I created two functions, which may not be required if you know how to wrap quotes around a portion of text, but for me it was needed. The functions simply add a quote to the beginning and end of the content of the key or cert file if it is the first or last line. Robert PearmanFunction to add quotation marksTo retain the formatting, you need to do some other magic: converting carriage returns to new lines. You are also going to add in a few more tweaks to make things easier on the Fortinet hardware. This allows you to quickly identify a certificate on the Fortinet router if you need to manage them. Robert Pearman Robert Pearman Robert Pearman Robert PearmanRetaining formatting and tweaks for the Fortinet hardwareThen add the commands you will run in SSH and store those in a variable $command. Finally, add code to connect to the Fortinet router and send a $command. You will notice I am using more parameters here, so you will need to add those at the top of the script. Robert PearmanAdding parameters at the top of the script Robert PearmanAdd SSH $commandsYou can then move all that code inside a try/catch section and test it out. All being well, you will see something similar to the following. If you also log into your Fortinet router, you will see the certificate is installed. If you are using the SSL VPN feature and want to wrap in updating the certificate there as well simply add this to your $command. Robert PearmanCode moved inside a try/catch sessionOnce you are happy you have the runbook working as desired, you can switch from LE_Stage to LE_Prod and issue your first fully automated certificate. Robert PearmanSSH certificate installedI know what you’re thinking: Why did I do this? My reasons are threefold.No browser warnings when managing devicesLess admin overhead on certificate managementIt’s coolI could probably add a fourth, which is the Let’s Encrypt certificates are free, but that’s obvious.The example I have written about may be an edge case. However, as someone said to me when I mentioned what I was doing, “Some people need inspiration to figure out how they are going to use this stuff.” So, while you may not be configuring a Fortinet router, I hope this inspires you to use Azure Automation to do… something! Related content news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Advanced Persistent Threats Advanced Persistent Threats news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe