Using Let’s Encrypt With PowerShell Empire


A friend had recently reached out to me for some assistance with using Let’s Encrypt with PowerShell Empire. They were attempting to follow the excellent article posted at one of my favourite blogs at Black Hills Information Security [ SOURCE ]. 95% of the work contained within this blog is highlighted in that blog file so full credit to BHIS. Following the instructions led the following error when attempting to start the HTTP listener. Note that this article applies to Empire 2.5.

The default values for listeners in Empire can be configured by modifying their configuration file. The path for the HTTP listener file is lib/listeners/ Within this configuration file is a block for CertPath which is where you specify the location of your certificate chain and private key. Searching for that term on the GitHub repo for Empire revealed the issue.

The code above states that Empire is looking for two very specific file names, which is empire-chain.pem and empire-priv.key

The Fix

Request your cert from Let’s Encrypt. You can choose whichever challenge you want – I performed the DNS challenge.

$ certbot certonly -d <> --manual --preferred-challenges dns

With that done, navigate to the /etc/letsencrypt/<>/live directory and perform the following.

Rename the private key to align with what empire expects (yes I know you can convert it to .key using openssl, but a simple rename works).

$ mv privkey.pem empire-priv.key

Concatenate the private key, and cert.pem into empire-chain.pem

$ cat cert.pem empire-priv.key > empire-chain.pem

With that complete, navigate back to the install directory for Empire, and modify the following values in the corresponding listener. 

Side Note : I’m only modifying the blocks that are required to get your SSL Cert working with your listener. This configuration file allows you to modify many of the Indicators  of Compromise that are associated with PowerShell Empire. It’s a good idea to spend some time modifying values of this listener configuration file to modify as many of the default Empire behaviours as possible.

Once you save the file, start your listener and rejoice at the error free startup of your new HTTPS listener.