一、證書申請(qǐng)
certbot certonly -d example.com --webroot
交互窗口輸入IIS站點(diǎn)根目錄����,以使certbot創(chuàng)建驗(yàn)證文件(通過http協(xié)議地址能夠被訪問到)����,由于生成驗(yàn)證文件不具備后綴名,在默認(rèn)IIS安全設(shè)置中是不允許此類鏈接訪問的�����,因此還需要在網(wǎng)站MIME類型中加個(gè)通配符類型『.』����,配置其對(duì)應(yīng)的類型為『application/octet-stream』。
驗(yàn)證通過后會(huì)將證書發(fā)布至C:\Certbot文件夾下����,archive和live目錄下均會(huì)生成域名對(duì)應(yīng)的文件夾,live為有效的archive目錄下快捷方式���。
跳轉(zhuǎn)到live\example.com目錄下,會(huì)有cert.pem, chain.pem, fullchain.pem, privkey.pem幾個(gè)生成文件��,其中fullchain和privkey是下一步需要的文件�。
注: CertBot最新版本只支持Win7或以上系統(tǒng),對(duì)應(yīng)的Windows Server版本至少需要在Server 2012或以上����,若是更早的WinServer操作系統(tǒng),需要下載低版本的CertBot���,主要原因是其依賴的python環(huán)境不支持低版本操作系統(tǒng)���。
二��、證書類型轉(zhuǎn)換
$env:MYPASS = "123"
openssl pkcs12 -export -out example.com.pfx -passout env:MYPASS -in fullchain.pem -inkey privkey.pem
三�����、證書導(dǎo)入與綁定
certutil -p 123 -importPFX example.com.pfx
$oSsl = $( ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com" } )
Import-Module WebAdministration
New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 443 -Protocol https
$oBind = Get-WebBinding -Name "Default Web Site" -Port 443 -Protocol https
$oBind.AddSslCertificate($oSsl.Thumbprint, "my")
四�、建立自動(dòng)更新任務(wù)
每隔一個(gè)月執(zhí)行自動(dòng)檢測(cè)更新腳本
$oDT = Get-Date -Format "yyyyMMdd"
$nMo = [int]$oDT.substring(4,2) % 2
$strMonths = ""
if ($nMon -eq 1) {
$strMonths = "1,3,5,7,9,11"
} else {
$strMonths = "2,4,6,8,10,12"
}
$oDT -Match "(..)(..)(..)"
$strDT = "$($Matches[1])/$($Matches[2])/$($Matches[3])"
schtasks /create /tn UpdateSSL /sc MONTHLY /mo $strMonths /sd "$strDT" /st 00:30:00 /tr "powershell -Command \`"Set-ExecutePolicy -Scope Process Bypass; Start powershell $PWD\UpdateSSL.ps1;\`""
UpdateSSL.ps1
function pause() {
Write-Host "Press any key to contiune..."
[Console]::ReadKey() | Out-Null
}
function main() {
pushd C:\Certbot\live\example.com\
# Pull update state
$strRet = $(certbot renew --cert-name example.com)
$bUpdate = $($strRet | findstr /c:"No renewals")
if ("$bUpdate" -ne "") {
Write-Host "No new update, skip..."
} else {
Write-Host "Renewals founded, now export pfx file."
# Backup old cert file
Write-Host "Step 1: Backup the old pfx file."
$strDT = $(Get-Date -Format "yyyyMMdd").ToString()
mv example.com.pfx "backup_${strDT}_example.com.pfx"
# Export cert as pkcs12 file
Write-Host "Step 2: Export the new cert to pfx file."
$env:cert_pass = "123"
openssl pkcs12 -export -out example.com.pfx -passout env:cert_pass -in fullchain.pem -inkey privkey.pem
# Delete old pfx in local machine
Write-Host "Step 3: Delete the certification from cert store."
ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com"} | rm
# Import pfx to cert store
Write-Host "Step 4: Import the new certification to cert store."
certutil -f -p 123 -importPFX $PWD\example.com.pfx
# ReBind certification of web site
Write-Host "Step 5: Rebind the certification to default web site as https protocol."
$oCert = $( ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com"} )
$oCert
$oBind = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$oBind
Write-Host " Step 5.1: Remove certification from Default Web Site."
$oBind.RemoveSslCertificate()
#pause
Write-Host " Step 5.2: Add new certification from Default Web Site."
$oBind.AddSslCertificate($oCert.Thumbprint, "My")
#pause
# Restart web site
Write-Host "Step 6: Restart the Default Web Site."
$oWebSite = Get-WebSite -Name "Default Web Site"
$oWebSite.Stop()
$oWebSite.Start()
}
popd
}
main
pause
400 186 1886
