Windows服务器申请SSL证书及自动续期

一、证书申请

• 工具: Certbot
• 端口需求: 80 

certbot certonly -d example.com --webroot

        交互窗口输入IIS站点根目录，以使certbot创建验证文件(通过http协议地址能够被访问到)，由于生成验证文件不具备后缀名，在默认IIS安全设置中是不允许此类链接访问的，因此还需要在网站MIME类型中加个通配符类型『.』，配置其对应的类型为『application/octet-stream』。
        验证通过后会将证书发布至C:\Certbot文件夹下，archive和live目录下均会生成域名对应的文件夹，live为有效的archive目录下快捷方式。
        跳转到live\example.com目录下，会有cert.pem, chain.pem, fullchain.pem, privkey.pem几个生成文件，其中fullchain和privkey是下一步需要的文件。

注: CertBot最新版本只支持Win7或以上系统，对应的Windows Server版本至少需要在Server 2012或以上，若是更早的WinServer操作系统，需要下载低版本的CertBot，主要原因是其依赖的python环境不支持低版本操作系统。

二、证书类型转换

• 工具: openssl   

$env:MYPASS = "123"
openssl pkcs12 -export -out example.com.pfx -passout env:MYPASS -in fullchain.pem -inkey privkey.pem

三、证书导入与绑定

certutil -p 123 -importPFX example.com.pfx
$oSsl = $( ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com" } )
Import-Module WebAdministration
New-WebBinding -Name "Default Web Site" -IPAddress "*" -Port 443 -Protocol https
$oBind = Get-WebBinding -Name "Default Web Site" -Port 443 -Protocol https
$oBind.AddSslCertificate($oSsl.Thumbprint, "my")

四、建立自动更新任务

• 计划任务建立

         每隔一个月执行自动检测更新脚本

$oDT = Get-Date -Format "yyyyMMdd"
$nMo = [int]$oDT.substring(4,2) % 2
$strMonths = ""
if ($nMon -eq 1) {
	$strMonths = "1,3,5,7,9,11"
} else {
	$strMonths = "2,4,6,8,10,12"
}
$oDT -Match "(..)(..)(..)"
$strDT = "$($Matches[1])/$($Matches[2])/$($Matches[3])"
schtasks /create /tn UpdateSSL /sc MONTHLY /mo $strMonths /sd "$strDT" /st 00:30:00 /tr "powershell -Command \`"Set-ExecutePolicy -Scope Process Bypass; Start powershell $PWD\UpdateSSL.ps1;\`""

•  详细执行内容

        UpdateSSL.ps1

function pause() {
    Write-Host "Press any key to contiune..."
    [Console]::ReadKey() | Out-Null
}

function main() {
    pushd C:\Certbot\live\example.com\

    # Pull update state
    $strRet = $(certbot renew --cert-name example.com)
    $bUpdate = $($strRet | findstr /c:"No renewals")
    if ("$bUpdate" -ne "") {
        Write-Host "No new update, skip..."
    } else {
        Write-Host "Renewals founded, now export pfx file."

        # Backup old cert file
        Write-Host "Step 1: Backup the old pfx file."
        $strDT = $(Get-Date -Format "yyyyMMdd").ToString()
        mv example.com.pfx "backup_${strDT}_example.com.pfx"

        # Export cert as pkcs12 file
        Write-Host "Step 2: Export the new cert to pfx file."
        $env:cert_pass = "123"
        openssl pkcs12 -export -out example.com.pfx -passout env:cert_pass -in fullchain.pem -inkey privkey.pem

        # Delete old pfx in local machine
        Write-Host "Step 3: Delete the certification from cert store."
        ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com"} | rm

        # Import pfx to cert store
        Write-Host "Step 4: Import the new certification to cert store."
        certutil -f -p 123 -importPFX $PWD\example.com.pfx

        # ReBind certification of web site
        Write-Host "Step 5: Rebind the certification to default web site as https protocol."
        $oCert = $( ls Cert:\LocalMachine\My | ?{ $_.Subject -like "*example.com"} )
        $oCert
        $oBind = Get-WebBinding -Name "Default Web Site" -Protocol "https"
        $oBind
        Write-Host " Step 5.1: Remove certification from Default Web Site."
        $oBind.RemoveSslCertificate()
        #pause
        Write-Host " Step 5.2: Add new certification from Default Web Site."
        $oBind.AddSslCertificate($oCert.Thumbprint, "My")
        #pause

        # Restart web site
        Write-Host "Step 6: Restart the Default Web Site."
        $oWebSite = Get-WebSite -Name "Default Web Site"
        $oWebSite.Stop()
        $oWebSite.Start()
    }

    popd
}

main
pause