Let's Encrypt,免费好用的 HTTPS 证书 之 Window版生成和IIS配置
Linux下的,请参考地址:https://imququ.com/post/letsencrypt-certificate.html
准备工作
我们主要使用:ACMESharp 来实现生成证书的。
你需要打开 window powershelll 注意:一定要用管理员账号打开
并且成功安装ACMESharp
步骤说明:Let's Encrypt 应用到Window IIS 下
英文详细说明地址:https://github.com/ebekker/ACMESharp/wiki/Quick-Start
以下是流水步骤,只要是顺序执行,应该问题不大。
PS D:\SSL> Install-Module -Name ACMESharp
不受信任的存储库
你正在从不受信任的存储库安装模块。如果你信任该存储库,请通过运行 Set-PSRepository cmdlet 更改其InstallationPolicy 值。是否确实要从“PSGallery”安装模块?
[Y] 是(Y) [A] 全是(A) [N] 否(N) [L] 全否(L) [S] 暂停(S) [?] 帮助 (默认值为“N”): Y
PS D:\SSL> Install-Module -Name ACMESharp
PS D:\SSL> Import-Module ACMESharp
PS D:\SSL> Initialize-ACMEVault
PS D:\SSL> New-ACMERegistration -Contacts mailto:isudajicom@gmail.com -AcceptTos
Contacts : {mailto:isudajicom@gmail.com}
PublicKey : { e = AQAB, kty = RSA, n = y6aFgfzMjJYKT3tAON9UjAs***RcIea726ZOV8GikAK4IGtQ }RecoveryKey :
RegistrationUri : https://acme-v01.api.letsencrypt.org/acme/reg/67***76
Links : {https://acme-v01.api.letsencrypt.org/acme/new-authz>;rel="next", https://letsencrypt.org/documen ts/LE-SA-v1.1.1-August-1-2016.pdf>;rel="terms-of-service"}
TosLinkUri : https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
TosAgreementUri : https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
AuthorizationsUri :
CertificatesUri :
PS D:\SSL> New-ACMEIdentifier -Dns www.isudaji.com -Alias dns1
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : www.isudaji.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/ruizRI2-2WGG***X1GIM
Status : pending
Expires : 2016/12/6 8:18:17
Challenges : {, , }
Combinations : {1, 2, 0}
PS D:\SSL> Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual
== Manual Challenge Handler - HTTP ==
* Handle Time: [2016/11/29 16:21:15]
* Challenge Token: [I6Ro7K2rvBwLb#####xFgOPQHTs]
To complete this Challenge please create a new file
under the server that is responding to the hostname
and path given with the following characteristics:
* HTTP URL: [http://www.isudaji.com/.well-known/acme-challenge/
I6Ro7K2rvBwLb7#####xFgOPQHTs]
* File Path: [.well-known/acme-challenge/I6Ro7K2rvB#####g1LxFgOPQHTs]
* File Content: [I6Ro7K2rvBwLb7e4sBfC1WXB4BQ########V_gZBZ3kdfEfVbxTs0M2KxaZLRoQ]
* MIME Type: [text/plain]
------------------------------------
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : www.isudaji.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/ruizRI2-2WG****Q6aaEX1GIM
Status : pending
Expires : 2016/12/6 8:18:17
Challenges : {, , manual}
Combinations : {1, 2, 0}
Window下还是用DNS来验证网站所有权吧,.well-known文件夹名字命名不了。
PS D:\SSL> Complete-ACMEChallenge dns1 -ChallengeType dns-01 -Handler manual
== Manual Challenge Handler - DNS ==
* Handle Time: [2016/11/29 16:36:09]
* Challenge Token: [rBTmWnFa1l2***qmWexsyQ]
To complete this Challenge please create a new Resource
Record (RR) with the following characteristics:
* RR Type: [TXT]
* RR Name: [_acme-challenge.www.isudaji.com]
* RR Value: [u0e28icGYm****SH-JjGRSS6HNk]
------------------------------------
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : www.isudaji.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/ruizRI2-2WG****aEX1GIM
Status : pending
Expires : 2016/12/6 8:18:17
Challenges : {, manual, manual}
Combinations : {1, 2, 0}
-------本地验证:
C:\Users\ISuDaJi>nslookup -qt=txt _acme-challenge.www.isudaji.com
服务器: xd-cache-1.bjtelecom.net
Address: 111.111.111.10
非权威应答:
_acme-challenge.www.isudaji.com text =
"u0e28icGYmSgophqC_oJLaoDQOPn0GSH-JjGRSS6HNk"
isudaji.com nameserver = ns1.isudaji.com
isudaji.com nameserver = ns2.isudaji.com
ns1.isudaji.com internet address = 111.116.111.111
ns2.isudaji.com internet address = 111.51.11.111
====================================================================
提交验证
PS D:\SSL> Submit-ACMEChallenge dns1 -ChallengeType dns-01
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : www.isudaji.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/ruizRI2-2WGG***aaEX1GIMStatus : pendingExpires : 2016/12/6 8:18:17Challenges : {, manual, manual}Combinations : {1, 2, 0}
检查验证
PS D:\SSL> (Update-ACMEIdentifier dns1 -ChallengeType dns-01).Challenges | Where-Object {$_.Type -eq "dns-01"}ChallengePart : ACMESharp.Messages.ChallengePart
Challenge : ACMESharp.ACME.DnsChallenge
Type : dns-01
Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/ruizRI2-2WGG***M/372***65
Token : rBTmWnF****tUJbpcX-wuL***exsyQ
Status : valid
OldChallengeAnswer : [, ]
ChallengeAnswerMessage :
HandlerName : manual
HandlerHandleDate : 2016/11/29 16:36:09
HandlerCleanUpDate :
SubmitDate : 2016/11/29 17:03:08
SubmitResponse : {StatusCode, Headers, Links, RawContent...}
整体的验证
PS D:\SSL> Update-ACMEIdentifier dns1
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : www.isudaji.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/ruizRI2-2***1GIM
Status : valid
Expires : 2017/1/28 9:03:07
Challenges : {, , }
Combinations : {1, 2, 0}
获取证书
PS D:\SSL> New-ACMECertificate dns1 -Generate -Alias cert1
Id : 7f798b26*****42e86010
Alias : cert1
Label :
Memo :
IdentifierRef : dec6****4b83
IdentifierDns : www.isudaji.com
AlternativeIdentifierDns :
KeyPemFile :
CsrPemFile :
GenerateDetailsFile : 7f798b26*****10-gen.json
CertificateRequest :
CrtPemFile :
CrtDerFile :
IssuerSerialNumber :
SerialNumber :
Thumbprint :
Signature :
SignatureAlgorithm :
PS D:\SSL> Submit-ACMECertificate cert1
Id : 7f798****2e86010
Alias : cert1
Label :
Memo :
IdentifierRef : dec6a3****38644b83
IdentifierDns : www.isudaji.com
AlternativeIdentifierDns :
KeyPemFile : 7f798****e86010-key.pem
CsrPemFile : 7f79****2e86010-csr.pem
GenerateDetailsFile : 7f798****e86010-gen.json
CertificateRequest : ACMESharp.CertificateRequest
CrtPemFile : 7f79****10-crt.pem
CrtDerFile : 7f798****0-crt.der
IssuerSerialNumber :
SerialNumber : 03A147****41414E
Thumbprint : 309E474B****47965B332
Signature : 309E474****965B332
SignatureAlgorithm : sha256RSA
导出证书
PS D:\SSL> Get-ACMECertificate cert1 -ExportKeyPEM "D:\SSL\cert1.key.pem"
Id : 7f798b****42e86010
Alias : cert1
Label :
Memo :
IdentifierRef : dec6****644b83
IdentifierDns : www.isudaji.com
AlternativeIdentifierDns :
KeyPemFile : 7f79****010-key.pem
CsrPemFile : 7f798****86010-csr.pem
GenerateDetailsFile : 7f79****86010-gen.json
CertificateRequest : ACMESharp.CertificateRequest
CrtPemFile : 7f798b****010-crt.pem
CrtDerFile : 7f798****010-crt.der
IssuerSerialNumber :
SerialNumber : 03A147****0941414E
Thumbprint : 309E****965B332
Signature : 309E47****65B332
SignatureAlgorithm : sha256RSA
导出证书签名请求(CSR)
PS D:\SSL> Get-ACMECertificate cert1 -ExportCsrPEM "D:\SSL\cert1.csr.pem"
Id : 7f7****6010
Alias : cert1
Label :
Memo :
IdentifierRef : dec6a3****644b83
IdentifierDns : www.isudaji.com
AlternativeIdentifierDns :
KeyPemFile : 7f798****2e86010-key.pem
CsrPemFile : 7f798****0-csr.pem
GenerateDetailsFile : 7f79****010-gen.json
CertificateRequest : ACMESharp.CertificateRequest
CrtPemFile : 7f798b****10-crt.pem
CrtDerFile : 7f79****6010-crt.der
IssuerSerialNumber :
SerialNumber : 03A14****941414E
Thumbprint : 309E4****965B332
Signature : 309E47****5B332
SignatureAlgorithm : sha256RSA
导出由LE颁发的证书
PS D:\SSL> Get-ACMECertificate cert1 -ExportCertificatePEM "D:\SSL\cert1.crt.pem" -ExportCertificateDER "D:\SSL\cert1.crt"
Id : 7f7****2e86010
Alias : cert1
Label :
Memo :
IdentifierRef : dec****38644b83
IdentifierDns : www.isudaji.com
AlternativeIdentifierDns :
KeyPemFile : 7f798b****010-key.pem
CsrPemFile : 7f798****86010-csr.pem
GenerateDetailsFile : 7f79****86010-gen.json
CertificateRequest : ACMESharp.CertificateRequest
CrtPemFile : 7f798****86010-crt.pem
CrtDerFile : 7f79****86010-crt.der
IssuerSerialNumber :
SerialNumber : 03A1****41414E
Thumbprint : 309E****5B332
Signature : 309E47****5B332
SignatureAlgorithm : sha256RSA
导出发行人证书(第一个失败,就先只执行一次下边的那个)
PS D:\SSL> Get-ACMECertificate cert1 -ExportIssuerPEM "D:\SSL\cert1-issuer.crt.pem" -ExportIssuerDER "D:\SSL\cert1-issuer.crt"
Get-ACMECertificate : Issuer certificate hasn't been resolved
所在位置 行:1 字符: 1
+ Get-ACMECertificate cert1 -ExportIssuerPEM "D:\SSL\cert1-issuer.crt.p ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ACMECertificate], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.GetCertificate
PS D:\SSL> Update-ACMECertificate cert1
Id : 7f79****86010
Alias : cert1
Label :
Memo :
IdentifierRef : dec6****644b83
IdentifierDns : www.isudaji.com
AlternativeIdentifierDns :
KeyPemFile : 7f79****010-key.pem
CsrPemFile : 7f79****6010-csr.pem
GenerateDetailsFile : 7f79****6010-gen.json
CertificateRequest : ACMESharp.CertificateRequest
CrtPemFile : 7f7****86010-crt.pem
CrtDerFile : 7f798****e86010-crt.der
IssuerSerialNumber : 0A01****CA708
SerialNumber : 03A147****1414E
Thumbprint : 309E4****5B332
Signature : 309E47****5B332
SignatureAlgorithm : sha256RSA
PS D:\SSL> Get-ACMECertificate cert1 -ExportIssuerPEM "D:\SSL\cert1-issuer.crt.pem" -ExportIssuerDER "D:\SSL\cert1-issuer.crt"
Id : 7f79****42e86010
Alias : cert1
Label :
Memo :
IdentifierRef : dec****644b83
IdentifierDns : www.isudaji.com
AlternativeIdentifierDns :
KeyPemFile : 7f****010-key.pem
CsrPemFile : 7f79****2e86010-csr.pem
GenerateDetailsFile : 7f798****86010-gen.json
CertificateRequest : ACMESharp.CertificateRequest
CrtPemFile : 7f79****86010-crt.pem
CrtDerFile : 7f798b****10-crt.der
IssuerSerialNumber : 0A0141****A708
SerialNumber : 03A147****1414E
Thumbprint : 309E****965B332
Signature : 309E474B****5B332
SignatureAlgorithm : sha256RSA
导出可以用在windows IIS里的证书(没密码的证书,有密码的证书,任选。)
PS D:\SSL> Get-ACMECertificate cert1 -ExportPkcs12 "D:\SSL\cert1.pfx"
Id : 7f79****e86010
Alias : cert1
Label :
Memo :
IdentifierRef : dec6a****4b83
IdentifierDns : www.isudaji.com
AlternativeIdentifierDns :
KeyPemFile : 7f7****-key.pem
CsrPemFile : 7f798b****sr.pem
GenerateDetailsFile : 7f798b26****10-gen.json
CertificateRequest : ACMESharp.CertificateRequest
CrtPemFile : 7f798b2****010-crt.pem
CrtDerFile : 7f798b2****010-crt.der
IssuerSerialNumber : 0A01****708
SerialNumber : 03A1****941414E
Thumbprint : 309E474****5B332
Signature : 309E4****965B332
SignatureAlgorithm : sha256RSA
创建带有密码的证书
PS D:\SSL> Get-ACMECertificate cert1 -ExportPkcs12 "D:\SSL\cert1.pfx" -CertificatePassword 'g1Bb3Ri$h'
Get-ACMECertificate : 文件“D:\SSL\cert1.pfx”已经存在。
所在位置 行:1 字符: 1
+ Get-ACMECertificate cert1 -ExportPkcs12 "D:\SSL\cert1.pfx" -Certifica ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ACMECertificate], IOException
+ FullyQualifiedErrorId : System.IO.IOException,ACMESharp.POSH.GetCertificate
此致就完成了所有的步骤,那么我们怎么用这些证书来开启https呢?
这里,我们先只用到 pfx的证书来实现IIS的配置,如下链接:
Win2008+IIS7.0下安装SSL证书
IIS7如何实现访问HTTP跳转到HTTPS访问
安装上边步骤实现的HTTPS,在线体验:爱苏妲己
相关文章
- Win2008+IIS7.0下安装SSL证书(2016-11-30 14:37:35)
- IIS7如何实现访问HTTP跳转到HTTPS访问(2016-11-30 14:15:24)
- MongoDB设置访问权限、设置用户(2016-11-28 18:8:14)
- 在Visual Studio中安装使用NuGet Package Manager(2016-11-25 15:56:40)
- win10过一会就睡眠了,电源和睡眠了,设置的不起作用,不进行任何操作后两分钟就睡眠(2016-4-15 16:21:3)
- webpack配置.jsx文件由babel来解析,出现:babel没能识别我 js 文件中的 jsx 语法?(2016-2-17 9:31:49)
- Webpack+React+Hot控制台报错:Cannot read property ‘NODE_ENV’ of undefined(2016-2-16 10:49:15)
- 如何通过(nginx+php)修改配置来解决php文件上传大小限制问题(2016-1-21 10:55:17)
- 解决php设置页面超时时间方法(set_time_limit,max_execution_time,ini_set)(2016-1-14 10:39:15)
- 解决PHP中file_get_contents函数抓取https地址出错的两种方法(2015-12-31 10:58:21)
