一、證書申請
certbot certonly -d example.com --webroot
交互窗口輸入IIS站點根目錄,以使certbot創建驗證文件(通過http協議地址能夠被訪問到),由于生成驗證文件不具備后綴名,在默認IIS安全設置中是不允許此類鏈接訪問的,因此還需要在網站MIME類型中加個通配符類型『.』,配置其對應的類型為『application/octet-stream』。
驗證通過后會將證書發布至C:\Certbot文件夾下,archive和live目錄下均會生成域名對應的文件夾,live為有效的archive目錄下快捷方式。
跳轉到live\example.com目錄下,會有cert.pem, chain.pem, fullchain.pem, privkey.pem幾個生成文件,其中fullchain和privkey是下一步需要的文件。
注: CertBot最新版本只支持Win7或以上系統,對應的Windows Server版本至少需要在Server 2012或以上,若是更早的WinServer操作系統,需要下載低版本的CertBot,主要原因是其依賴的python環境不支持低版本操作系統。
二、證書類型轉換
$env:MYPASS = "123"
openssl pkcs12 -export -out example.com.pfx -passout env:MYPASS -in fullchain.pem -inkey privkey.pem
三、證書導入與綁定
certutil -p 123 -importPFX example.com.pfx
$oSsl = $( ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com" } )
Import-Module WebAdministration
New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 443 -Protocol https
$oBind = Get-WebBinding -Name "Default Web Site" -Port 443 -Protocol https
$oBind.AddSslCertificate($oSsl.Thumbprint, "my")
四、建立自動更新任務
每隔一個月執行自動檢測更新腳本
$oDT = Get-Date -Format "yyyyMMdd"
$nMo = [int]$oDT.substring(4,2) % 2
$strMonths = ""
if ($nMon -eq 1) {
$strMonths = "1,3,5,7,9,11"
} else {
$strMonths = "2,4,6,8,10,12"
}
$oDT -Match "(..)(..)(..)"
$strDT = "$($Matches[1])/$($Matches[2])/$($Matches[3])"
schtasks /create /tn UpdateSSL /sc MONTHLY /mo $strMonths /sd "$strDT" /st 00:30:00 /tr "powershell -Command \`"Set-ExecutePolicy -Scope Process Bypass; Start powershell $PWD\UpdateSSL.ps1;\`""
UpdateSSL.ps1
function pause() {
Write-Host "Press any key to contiune..."
[Console]::ReadKey() | Out-Null
}
function main() {
pushd C:\Certbot\live\example.com\
# Pull update state
$strRet = $(certbot renew --cert-name example.com)
$bUpdate = $($strRet | findstr /c:"No renewals")
if ("$bUpdate" -ne "") {
Write-Host "No new update, skip..."
} else {
Write-Host "Renewals founded, now export pfx file."
# Backup old cert file
Write-Host "Step 1: Backup the old pfx file."
$strDT = $(Get-Date -Format "yyyyMMdd").ToString()
mv example.com.pfx "backup_${strDT}_example.com.pfx"
# Export cert as pkcs12 file
Write-Host "Step 2: Export the new cert to pfx file."
$env:cert_pass = "123"
openssl pkcs12 -export -out example.com.pfx -passout env:cert_pass -in fullchain.pem -inkey privkey.pem
# Delete old pfx in local machine
Write-Host "Step 3: Delete the certification from cert store."
ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com"} | rm
# Import pfx to cert store
Write-Host "Step 4: Import the new certification to cert store."
certutil -f -p 123 -importPFX $PWD\example.com.pfx
# ReBind certification of web site
Write-Host "Step 5: Rebind the certification to default web site as https protocol."
$oCert = $( ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com"} )
$oCert
$oBind = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$oBind
Write-Host " Step 5.1: Remove certification from Default Web Site."
$oBind.RemoveSslCertificate()
#pause
Write-Host " Step 5.2: Add new certification from Default Web Site."
$oBind.AddSslCertificate($oCert.Thumbprint, "My")
#pause
# Restart web site
Write-Host "Step 6: Restart the Default Web Site."
$oWebSite = Get-WebSite -Name "Default Web Site"
$oWebSite.Stop()
$oWebSite.Start()
}
popd
}
main
pause
400 186 1886
