I needed 2 subdomain certificates from Lets Encrypt. I had looked at some tools and found ACMESharp (https://pkisharp.github.io/ACMESharp-docs/Quick-Start, https://github.com/ebekker/ACMESharp/wiki/Quick-Start) the best. To get the certificate, the ACMEVault has to be set up once and the tool has to be installed as PowerShell module before:

Install-Module -Name ACMESharp -AllowClobber
Import-Module ACMESharp
Initialize-ACMEVault

Then you can execute the following lines to generate a certificate. The following instructions use “dns1” as placeholder for the subdomain:

New-ACMERegistration -Contacts mailto:info@thomas-zuehlke.de -AcceptTos
New-ACMEIdentifier -Dns service1.thomas-zuehlke.de -Alias dns1
Complete-ACMEChallenge dns1 -ChallengeType dns-01 -Handler manual
Update-ACMEIdentifier dns1 -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}
# Perform proof, that you are the domain owner
Submit-ACMEChallenge dns1 -ChallengeType dns-01
# re-check with Update-ACMEIdentifier for status change
New-ACMECertificate dns1 -Generate -Alias cert1
Submit-ACMECertificate cert1
Update-ACMECertificate -CertificateRef cert1
Get-ACMECertificate cert1 -ExportPkcs12 "c:\kubernetes\cert1.pfx"

To prove that you are the owner of the domain, a TXT record must be created after line 4. This must be filled with the values of the output from line 4. If the TXT record has been created, the submit is made with the challenge (line 6). You must now wait until the submit has been processed and checked. To do this, line 4 can be executed again and again and you must wait until the output contains the status: valid.

Afterwards you can process with line 8 and download the certificate.