本教程详细介绍了在 Godaddy的Windows共享主机 Plesk环境下,创建免费的SSL证书;然后再通过Let's Encrypt申请证书(详细流程)再到Godaddy中设置安装的所有流程。
1. 创建CSR证书申请文件(单域名)【多域名证书创建请点击这里】
1.1 进入Godaddy的Plesk管理界面,[Websites & Domains] -> 选择需要添加的站点 -> [SSL/TLS Certificates]
1.2 点击 [Add SSL/TLS Certificates] 按钮
1.3 填写证书相关的申请信息,然后点击 [Request] 进行申请;
1.4 申请操作完成以后,点击进入刚才创建的ssl证书,会看到已经生成的证书申请文本CSR和Private key的文本信息。 将这两块区域的信息分别复制到本地的文本编辑工具当中,然后保存为以 *.csr 和 *.key 为后缀的两个文件。用于下一步进行免费证书的申请。
创建的*.csr 和 *.key文件
2. 通过Let's Encrypt申请免费证书。
Let's Encrypt证书的介绍:【点击这里】
在Windows操作系统中,申请Let's Encrypt颁发的免费证书,我采用了 第三方工具【win-acme.v2 】
下载地址:https://github.com/PKISharp/win-acme
解压下载包以后,以管理员身份运行 wacs.exe
2.1 采用自定义模式创建新的证书,选择【 M: Create new certificate (full options)】
[INFO] A simple Windows ACMEv2 client (WACS) [INFO] Software version 2.0.10.444 (RELEASE) [INFO] IIS version 10.0 [INFO] Scheduled task looks healthy [INFO] Please report issues at https://github.com/PKISharp/win-acme N: Create new certificate (simple for IIS) M: Create new certificate (full options) L: List scheduled renewals R: Renew scheduled S: Renew specific A: Renew *all* O: More options... Q: Quit Please choose from the menu: m
2.2 选择从其它应用创建的CSR文件中读取证书申请信息,这里的csr和key文件路径就选择本文第一步创建的两个csr和key文件, 选择【 5: Read a CSR created by another program】;然后输入csr和key文件的路径;
[INFO] Running in mode: Interactive, Advanced Please specify how the list of domain names that will be included in the certificate should be determined. If you choose for one of the "all bindings" options, the list will automatically be updated for future renewals to reflect the bindings at that time. 1: Single binding of an IIS website 2: All bindings of an IIS website 3: All bindings of multiple IIS websites 4: Manual input5: Read a CSR created by another program<Enter> Abort How shall we determine the domain(s) to include in the certificate?: 5 Enter the path to the CSR: D:\ArkyCert\arky.ca.csr Enter the path to the corresponding private key, orto create a certificate without one: D:\ArkyCert\arky.ca.key [INFO] Target generated using plugin CSR: www.arky.ca
2.3 建议FriendlyName 这里直接按回车,下一步是选择你的域名验证的方式,我们这里选择采用在域名dns中添加TXT 的方式验证,所以选择【 6: [dns-01] Create verification records manually (auto-renew not possible)】
Suggested FriendlyName is '[Csr] D:\ArkyCert\arky.ca.csr', press enter to accept or type an alternative: arky.ca.csr The ACME server will need to verify that you are the owner of the domain names that you are requesting the certificate for. This happens both during initial setup *and* for every future renewal. There are two main methods of doing so: answering specific http requests (http-01) or create specific dns records (dns-01). For wildcard domains the latter is the only option. Various additional plugins are available from https://github.com/PKISharp/win-acme/. 1: [http-01] Save verification files on (network) path 2: [http-01] Serve verification files from memory (recommended) 3: [http-01] Upload verification files via FTP(S) 4: [http-01] Upload verification files via SSH-FTP 5: [http-01] Upload verification files via WebDav 6: [dns-01] Create verification records manually (auto-renew not possible) 7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns) 8: [dns-01] Create verification records with your own script C: Abort How would you like prove ownership for the domain(s) in the certificate?: 6
2.4 接下来选择【 1: IIS Central Certificate Store (.pfx per domain)】创建pfx的证书文件并指定最终证书的保存路径【D:\ArkyCert】,指定Pfx文件的密码(可以为空)
下一步选【3: No additional storage steps required】,下一步选择不采用额外的安装不走【 3: Do not run any (extra) installation steps】
When we have the certificate, you can store in one or more ways to make it accessible to your applications. The Windows Certificate Store is the default location for IIS (unless you are managing a cluster of them). 1: IIS Central Certificate Store (.pfx per domain) 2: PEM encoded files (Apache, nginx, etc.) 3: Windows Certificate Store C: Abort How would you like to store the certificate?: 1 Path to Central Certificate Store: D:\ArkyCert Password to use for the PFX files, or enter for none: 1: PEM encoded files (Apache, nginx, etc.) 2: Windows Certificate Store 3: No additional storage steps required C: Abort Would you like to store it in another way too?: 3 With the certificate now saved to the store(s) of your choice, you may choose one or more steps to update your applications, e.g. to configure the new thumbprint, or to update bindings. 1: Create or update https bindings in IIS 2: Start external script or program 3: Do not run any (extra) installation steps Which installation step should run first?: 3
2.5 界面输出DNS配置的信息以后
[INFO] Authorize identifier: www.arky.ca
[INFO] Authorizing www.arky.ca using dns-01 validation (Manual)
Domain: www.arky.ca
Record: _acme-challenge.www.arky.ca
Type: TXT
Content: "_ZqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxM"
Note: Some DNS managers add quotes automatically. A single set
is needed.
Please press enter after you've created and verified the record登陆自己域名的DNS管理后台,添加一条TXT解析,记录Name中输入 Record信息,不包含你的域名部分,如下图所示:_acme-challenge.www。 RDATA中输入Conetent信息,点击保存。等待30秒该记录生效以后,在回到win-acme中,按回车继续进行验证步骤。
2.6 验证通过以后,再到域名DNS管理后台删除刚才添加的txt记录,再回到win-acme中按回车继续。
[INFO] Preliminary validation succeeded: _ZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMM found in _ZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMM [INFO] Answer should now be available at _acme-challenge.www.arky.ca [INFO] Preliminary validation succeeded: _ZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMM found in _ZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMM [WARN] First chance error calling into ACME server, retrying with new nonce... [INFO] Authorization result: valid Domain: www.arky.ca Record: _acme-challenge.www.arky.ca Type: TXT Content: "_ZxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMM" Please press enter after you've deleted the record
2.7 最后操作完毕以后,界面输出证书申请成功的信息,并且在你指定的保存目录中生成证书文件【www.arky.ca.pfx】;此时证书已经成功申请。
[INFO] Requesting certificate arky.ca.csr [INFO] Store with CentralSsl... [INFO] Copying certificate to the Central SSL store [INFO] Saving certificate to Central SSL location D:\ArkyCert\www.arky.ca.pfx [INFO] Installing with None... [INFO] Scheduled task looks healthy Do you want to replace the existing task? (y/n*) - no [INFO] Adding renewal for arky.ca.csr [INFO] Next renewal scheduled at 2019/11/28 14:52:24
3. Godaddy配置证书文件
我们通过Let's Encrypt拿到的证书文件为*.pfx文件,而在Godaddy中所需要的是 crt文件(客户端认证的证书、私钥。),所以我通过Win64 OpenSSL工具对pfx进行转换。
Win64/32 OpenSSL工具下载地址:
https://slproweb.com/products/Win32OpenSSL.html
安装Win64OpenSSL-1_1_1d.exe以后,运行openssl.exe
3.1 在openssl.exe中执行以下命令(替换你自己的pfx文件路径和crt文件输出路径),输入pfx文件的密码(未设置密码直接按回车),执行命令成功以后生成*.crt文件。
openssl pkcs12 -in D:\ArkyCert\www.arky.ca.pfx -clcerts -nokeys -out D:\ArkyCert\www.arky.ca.crt
3.2 再次进入Godaddy的证书管理后台,按照下图上传刚刚生成的crt文件
3.3 进入Godaddy Plesk网站管理后台的【Hosting Settings】模块,勾选【SSL/TLS Support】然后选择创建的证书文件,最后保存。证书设置完毕。
4. 打开浏览器,采用https 访问自己的网站, 你就会发现网站已经显示一把小锁的安全标识了。
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License
本文为博主原创文章,转载请附上原文出处链接和本声明,未经许可不允许商业用途和再次编辑。
本文链接:https://www.arky.ca/blog/detail/create-and-setup-free-ssl-certificates
