Posh-ACME Configuration Guide for Apache on Windows 11 (10 Virtual Hosts)

This document describes a production-grade Posh-ACME deployment for Apache running on Windows 11 with approximately 10 name-based virtual hosts. It covers installation, configuration, certificate layout, Apache runtime integration, and automated renewal.

Design principle:
Posh-ACME manages certificates only. Apache consumes static certificate files. Apache configuration is never auto-modified.

1. Architecture Overview

Operating System: Windows 11
Web Server: Apache 2.4 (Windows service)
ACME Client: Posh-ACME (PowerShell)
Validation Method: DNS-01 (recommended)
Certificate Strategy: Grouped SAN certificates (2–4 domains per cert)
Renewal: Windows Task Scheduler (SYSTEM or service account)

All ACME state is stored under C:\ProgramData\Posh-ACME. Apache reads certificates from a separate, stable runtime path.

2. Installing Posh-ACME

2.1 One-Time Installation

powershell -ExecutionPolicy Bypass

Install-Module Posh-ACME -Scope AllUsers
Import-Module Posh-ACME

2.2 Create ACME Account

New-PAAccount -AcceptTOS
Set-PAAccount -Contact mailto:admin@example.com

The ACME account key is stored encrypted using Windows DPAPI.

3. Posh-ACME Configuration Model

3.1 Global Configuration

Stored at:

C:\ProgramData\Posh-ACME\config.json

View configuration:

Get-PAConfig

3.2 Orders (Certificates)

Each certificate is an order. Orders define:

Main domain
Subject Alternative Names (SANs)
Validation plugin (DNS provider)
Renewal policy

Orders are stored under:

C:\ProgramData\Posh-ACME\acme-v02.api.letsencrypt.org\orders\

4. Certificate Strategy for 10 Virtual Hosts

Recommended Grouping

3 certificates
3–4 domains per certificate
Limits blast radius on renewal failure

Example Order Creation

$GDKey    = ConvertTo-SecureString "GODADDY_API_KEY" -AsPlainText -Force
$GDSecret = ConvertTo-SecureString "GODADDY_API_SECRET" -AsPlainText -Force

New-PAOrder `
  -MainDomain site1.example.com `
  -SubjectAltName site2.example.com,site3.example.com,site4.example.com `
  -DnsPlugin GoDaddy `
  -PluginArgs @{ GDKey=$GDKey; GDSecret=$GDSecret }

Submit-PAOrder

5. Apache Runtime Certificate Layout

Apache reads certificates from a fixed runtime directory, for example:

C:\_amp\run\SSL\
├── group1\
│   ├── fullchain.pem
│   └── privkey.pem
├── group2\
│   ├── fullchain.pem
│   └── privkey.pem
└── group3\
    ├── fullchain.pem
    └── privkey.pem

Apache VirtualHost Example

<VirtualHost *:443>
  ServerName site1.example.com

  SSLEngine on
  SSLCertificateFile "C:/_amp/run/SSL/group1/fullchain.pem"
  SSLCertificateKeyFile "C:/_amp/run/SSL/group1/privkey.pem"

  DocumentRoot "C:/_amp/host/site1/site"
</VirtualHost>

6. Certificate Deployment (Export)

After issuance or renewal, certificates are exported explicitly.

Get-PACertificate | Export-PACertFiles `
  -CertFile  "C:\_amp\run\SSL\group1\fullchain.pem" `
  -KeyFile   "C:\_amp\run\SSL\group1\privkey.pem" `
  -Force

7. Automated Renewal

7.1 Renewal Script

Save as C:\Scripts\PoshACME-Renew.ps1

Import-Module Posh-ACME

Submit-Renewal

Get-PACertificate | ForEach-Object {
  Export-PACertFiles -PACertificate $_ `
    -CertFile  "C:\_amp\run\SSL\$($_.Subject)\fullchain.pem" `
    -KeyFile   "C:\_amp\run\SSL\$($_.Subject)\privkey.pem" `
    -Force
}

Restart-Service Apache2.4

7.2 Task Scheduler

Run whether user is logged on or not
Run with highest privileges
Trigger: Daily

Action:

powershell.exe -ExecutionPolicy Bypass -File "C:\Scripts\PoshACME-Renew.ps1"

8. Renewal Behavior

Certificates renew ~30 days before expiry
Only expiring orders are renewed
Failures do not affect unrelated certificates
Apache is restarted only after successful deployment

Important:
The same Windows account (or SYSTEM) must be used for:

Creating orders
Running the scheduled renewal task

9. Summary

Posh-ACME stores state in ProgramData
Apache consumes static PEM files
No Apache config auto-editing
Scales cleanly to 10+ virtual hosts
Predictable, auditable renewal