Linux 上用 acme.sh,Windows 上用 Win-ACME
https://www.win-acme.com/
https://github.com/win-acme/win-acme/releases
使用默认的 trimmed 版本即可,pluggable 版本以便集成其它插件如 cloudflare, aliyun, hetzner 等,可见 https://github.com/win-acme/win-acme/releases
文档:
https://www.win-acme.com/manual/getting-started
https://www.win-acme.com/reference/cli
https://www.win-acme.com/reference/settings
实践操作
配置
解压至任意位置,将 settings_default.json 复制粘贴为 settings.json,如果你喜欢用 letsencrypt,那就一般不需要修改配置
若需使用 ZeroSSL,则将 DefaultBaseUri 中 的 https://acme-v02.api.letsencrypt.org/ 改为 https://acme.zerossl.com/v2/DV90/
同时转至 https://app.zerossl.com/developer 获取 EAB 凭证
运行 wac.exe,Key identifier 即 EAB KID,Key (base64url encoded) 即 EAB HMAC Key
A simple Windows ACMEv2 client (WACS)
Software version 2.2.9.1701 (release, trimmed, standalone, 64-bit)
Connecting to https://acme.zerossl.com/v2/DV90/...
Connection OK!
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
Please choose from the menu: o
S: Manage secrets
V: Manage global validation options
T: (Re)create scheduled task
E: Test notification
A: Create ACME account
I: Import scheduled renewals from WACS/LEWS 1.9.x
M: Encrypt/decrypt configuration
U: Check for updates
Q: Back
Please choose from the menu: a
Terms of service: C:\ProgramData\win-acme\acme.zerossl.comv2DV90\Certificate-Subscriber-Agreement-2.7-click.pdf
Open in default application? (y/n*) - yes
Do you agree with the terms? (y*/n) - <Enter>
This ACME endpoint requires an external account. You will need to provide a
key identifier and a key to proceed. Please refer to the providers
instructions on how to obtain these.
Key identifier: akNZSP45MF6ZOxJwNdgfrg
Key (base64url encoded): **************************************************************************************
Account ID: -
Account KID: https://acme.zerossl.com/v2/DV90/account/akNZSP45MF6ZOxJwNdgfrg
Created -----------------------------------------------------------------
Initial IP -----------------------------------------------------------------
Status: valid
Contact(s): (none)
Modify contacts? (y/n*) - <Enter>
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
申请泛域名证书
使用默认设定(N)选项会快一些,这里用完整选项(M)
```cmd
A simple Windows ACMEv2 client (WACS)
Software version 2.2.9.1701 (release, trimmed, standalone, 64-bit)
Connecting to https://acme.zerossl.com/v2/DV90/...
Connection OK!
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
Please choose from the menu: m
Running in mode: Interactive, Advanced
Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.
1: Read bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort
How shall we determine the domain(s) to include in the certificate?: 2
Description: A host name to get a certificate for. This may be a
comma-separated list.
Host: test.microcharon.com, *.test.microcharon.com
Source generated using plugin Manual: test.microcharon.com and 1 alternatives
Friendly name '[Manual] test.microcharon.com'. <Enter> to accept or type desired name: Default Web Site
By default your source identifiers are covered by a single certificate. But
if you want to avoid the 100 domain limit, want to prevent information
disclosure via the SAN list, and/or reduce the operational impact of a single
validation failure, you may choose to convert one source into multiple
certificates, using different strategies.
1: Separate certificate for each domain (e.g. *.example.com)
2: Separate certificate for each host (e.g. sub.example.com)
3: Separate certificate for each IIS site
4: Single certificate
C: Abort
Would you like to split this source into multiple certificates?:
<Enter>
Validation plugin SelfHosting not available: HTTP validation cannot be used for wildcard identifiers (e.g. *.example.com)
Validation plugin FileSystem not available: HTTP validation cannot be used for wildcard identifiers (e.g. *.example.com)
The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup *and* for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard identifiers the latter is the only option.
Various additional plugins are available from
https://github.com/win-acme/win-acme/.
1: [http] Save verification files on (network) path
2: [http] Serve verification files from memory
3: [http] Upload verification files via FTP(S)
4: [http] Upload verification files via SSH-FTP
5: [http] Upload verification files via WebDav
6: [dns] Create verification records manually (auto-renew not possible)
7: [dns] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
8: [dns] Create verification records with your own script
9: [tls-alpn] Answer TLS verification request from win-acme
<Enter>: Abort
How would you like prove ownership for the domain(s)?: 7
Description: Root URI of the acme-dns service
AcmeDnsServer: https://auth.acme-dns.io
Creating new acme-dns registration for domain test.microcharon.com
Domain: test.microcharon.com
Record: _acme-challenge.test.microcharon.com
Type: CNAME
Content: 7507d944-8603-4a13-9103-7215079c6855.auth.acme-dns.io.
Note: Some DNS control panels add the final dot automatically.
Only one is required.
Please press <Enter> after you've created and verified the record
Verification of acme-dns configuration succesful.
Existing acme-dns registration for domain test.microcharon.com found
Record: _acme-challenge.test.microcharon.com
CNAME: 7507d944-8603-4a13-9103-7215079c6855.auth.acme-dns.io
Verification of acme-dns configuration succesful.
After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.
1: Elliptic Curve key
2: RSA key
C: Abort
What kind of private key should be used for the certificate?:
<Enter>
When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps
How would you like to store the certificate?:
<Enter>
1: [WebHosting] - Dedicated store for IIS
2: [My] - General computer store (for Exchange/RDS)
3: [Default] - Use global default, currently WebHosting
Choose store to use, or type the name of another unlisted store:
<Enter>
1: IIS Central Certificate Store (.pfx per host)
2: PEM encoded files (Apache, nginx, etc.)
3: PFX archive
4: Windows Certificate Store (Local Computer)
5: No (additional) store steps
Would you like to store it in another way too?:
<Enter>
With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.
1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps
Which installation step should run first?: 3
Plugin Manual generated source test.microcharon.com with 2 identifiers
Plugin Single created 1 order
Failed to create order
Create certificate failed, retry? (y/n*) - yes
Plugin Manual generated source test.microcharon.com with 2 identifiers
Plugin Single created 1 order
[test.microcharon.com] Authorizing...
[test.microcharon.com] Authorizing using dns-01 validation (acme-dns)
Verification of acme-dns configuration succesful.
[test.microcharon.com] Record Ta3xUsB2zqLY55bffZoSJmmyp-gRXcvL4xYUEQ6v8Cg successfully created
[test.microcharon.com] Preliminary validation succeeded
[test.microcharon.com] Authorization result: valid
[test.microcharon.com] Record Ta3xUsB2zqLY55bffZoSJmmyp-gRXcvL4xYUEQ6v8Cg deleted
[*.test.microcharon.com] Authorizing...
[*.test.microcharon.com] Authorizing using dns-01 validation (acme-dns)
Verification of acme-dns configuration succesful.
[*.test.microcharon.com] Record AloyptQV5iX04FkuiX5F8KOKbARN6uMFaddlivNp8J8 successfully created
[*.test.microcharon.com] Preliminary validation succeeded
[*.test.microcharon.com] Authorization result: valid
[*.test.microcharon.com] Record AloyptQV5iX04FkuiX5F8KOKbARN6uMFaddlivNp8J8 deleted
Downloading certificate Default Web Site
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate Default Web Site @ 2025/3/22 in store WebHosting
Adding certificate CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT in store CA
Adding certificate CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US in store CA
Adding Task Scheduler entry with the following settings
- Name win-acme renew (acme.zerossl.comv2DV90)
- Path D:\Win-ACME
- Command wacs.exe --renew --baseuri "https://acme.zerossl.com/v2/DV90/"
- Start at 09:00:00
- Random delay 04:00:00
- Time limit 02:00:00
Do you want to specify the user the task will run as? (y/n*) - <Enter>
Adding renewal for Default Web Site
Next renewal due after 2025/5/16
Certificate Default Web Site created
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit
Please choose from the menu:
已经把证书全部放在cdn上了 源站一律仅cdn ip访问 不配证书
怎么说
看到这个才让我意识到原来 windows 用户也要申请证书的
@Lian #1
説明你沒需求(
不错,学习收藏了
不错帮顶
win很少人用IIS了,还是Nginx吧
不错
Win-ACME挺好用的,配置起来也简单。
还是到我签名买更好。