一、证书申请
- 工具: Certbot
- 端口需求: 80
certbot certonly -d example.com --webroot
交互窗口输入IIS站点根目录,以使certbot创建验证文件(通过http协议地址能够被访问到),由于生成验证文件不具备后缀名,在默认IIS安全设置中是不允许此类链接访问的,因此还需要在网站MIME类型中加个通配符类型『.』,配置其对应的类型为『application/octet-stream』。
验证通过后会将证书发布至C:\Certbot文件夹下,archive和live目录下均会生成域名对应的文件夹,live为有效的archive目录下快捷方式。
跳转到live\example.com目录下,会有cert.pem, chain.pem, fullchain.pem, privkey.pem几个生成文件,其中fullchain和privkey是下一步需要的文件。
注: CertBot最新版本只支持Win7或以上系统,对应的Windows Server版本至少需要在Server 2012或以上,若是更早的WinServer操作系统,需要下载低版本的CertBot,主要原因是其依赖的python环境不支持低版本操作系统。
二、证书类型转换
- 工具: openssl
$env:MYPASS = "123"
openssl pkcs12 -export -out example.com.pfx -passout env:MYPASS -in fullchain.pem -inkey privkey.pem
三、证书导入与绑定
certutil -p 123 -importPFX example.com.pfx
$oSsl = $( ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com" } )
Import-Module WebAdministration
New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 443 -Protocol https
$oBind = Get-WebBinding -Name "Default Web Site" -Port 443 -Protocol https
$oBind.AddSslCertificate($oSsl.Thumbprint, "my")
四、建立自动更新任务
-
计划任务建立
每隔一个月执行自动检测更新脚本
$oDT = Get-Date -Format "yyyyMMdd"
$nMo = [int]$oDT.substring(4,2) % 2
$strMonths = ""
if ($nMon -eq 1) {
$strMonths = "1,3,5,7,9,11"
} else {
$strMonths = "2,4,6,8,10,12"
}
$oDT -Match "(..)(..)(..)"
$strDT = "$($Matches[1])/$($Matches[2])/$($Matches[3])"
schtasks /create /tn UpdateSSL /sc MONTHLY /mo $strMonths /sd "$strDT" /st 00:30:00 /tr "powershell -Command \`"Set-ExecutePolicy -Scope Process Bypass; Start powershell $PWD\UpdateSSL.ps1;\`""
-
详细执行内容
UpdateSSL.ps1
function pause() {
Write-Host "Press any key to contiune..."
[Console]::ReadKey() | Out-Null
}
function main() {
pushd C:\Certbot\live\example.com\
# Pull update state
$strRet = $(certbot renew --cert-name example.com)
$bUpdate = $($strRet | findstr /c:"No renewals")
if ("$bUpdate" -ne "") {
Write-Host "No new update, skip..."
} else {
Write-Host "Renewals founded, now export pfx file."
# Backup old cert file
Write-Host "Step 1: Backup the old pfx file."
$strDT = $(Get-Date -Format "yyyyMMdd").ToString()
mv example.com.pfx "backup_${strDT}_example.com.pfx"
# Export cert as pkcs12 file
Write-Host "Step 2: Export the new cert to pfx file."
$env:cert_pass = "123"
openssl pkcs12 -export -out example.com.pfx -passout env:cert_pass -in fullchain.pem -inkey privkey.pem
# Delete old pfx in local machine
Write-Host "Step 3: Delete the certification from cert store."
ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com"} | rm
# Import pfx to cert store
Write-Host "Step 4: Import the new certification to cert store."
certutil -f -p 123 -importPFX $PWD\example.com.pfx
# ReBind certification of web site
Write-Host "Step 5: Rebind the certification to default web site as https protocol."
$oCert = $( ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com"} )
$oCert
$oBind = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$oBind
Write-Host " Step 5.1: Remove certification from Default Web Site."
$oBind.RemoveSslCertificate()
#pause
Write-Host " Step 5.2: Add new certification from Default Web Site."
$oBind.AddSslCertificate($oCert.Thumbprint, "My")
#pause
# Restart web site
Write-Host "Step 6: Restart the Default Web Site."
$oWebSite = Get-WebSite -Name "Default Web Site"
$oWebSite.Stop()
$oWebSite.Start()
}
popd
}
main
pause