Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create sample collection #55

Open
8 of 11 tasks
glatzert opened this issue Jan 29, 2020 · 1 comment
Open
8 of 11 tasks

Create sample collection #55

glatzert opened this issue Jan 29, 2020 · 1 comment

Comments

@glatzert
Copy link
Collaborator

glatzert commented Jan 29, 2020
edited
Loading

  • Account creation
  • Account changes / deactivation
  • Place an order with a single or multiple dns names
  • Authorize multiple challenges
  • Issue a certificate with generated keys
  • Issue a certificte with custom keys
  • Issue multiple certificates
  • Automatically upgrade IIS certificates (leverages IIS CCS)
  • Import the Certificate Chain (automatically included since 1.2)
  • Convert .pfx to .pem and .key (include chain)
  • Add sample to show failure reasons.
@glatzert glatzert mentioned this issue Jan 29, 2020
Closed
@kiwiingenuity
Copy link

kiwiingenuity commented Feb 2, 2020
edited
Loading

A solution that provides a Single Certificate that can be for a single DNS or multiple DNS
Feel free to use this in your examples, or change it to how you like it.

Create a file CreateAcmeCertificate.ps1 with the following content.

=====================
param ($stateDir, $dnsList, $wwwRoot, $certname, $password)

try {

# Load an state object to have service directory and account keys available
$state = Get-ACMEState -Path $stateDir;

# It might be neccessary to acquire a new nonce, so we'll just do it for the sake of the example.
New-ACMENonce $state -PassThru;

# Create the identifier for the DNS name(s)
$identifiers = @();
foreach ($dns in $dnsList) { $identifiers += New-ACMEIdentifier $dns }

# Create the order object at the ACME service.
$order = New-ACMEOrder $state -Identifiers $identifiers

# Fetch the authorizations (array) for the order
$authZ = Get-ACMEAuthorization -State $state -Order $order

# We want to ensure the authorizations are processed in the correct order
foreach ($dns in $dnsList) 
{ 
    for ($i=0; $i -lt $authZ.Length; $i++) { 
        if ( $authZ[$i].Identifier.value -eq $dns ) { 

            # Select a challenge to fullfill
            $challenge = Get-ACMEChallenge $state $authZ[$i] "http-01"

            # Inspect the challenge data
            $challenge.Data;

            # Create the file requested by the challenge
            $fileName = $wwwRoot + $challenge.Data.RelativeUrl;
            $challengePath = [System.IO.Path]::GetDirectoryName($filename);
            # Write-Host "Filename      : " $fileName
            # Write-Host "Challange Path: " $challengePath
            if(-not (Test-Path $challengePath)) {
                New-Item -Path $challengePath -ItemType Directory
            }
            Set-Content -Path $fileName -Value $challenge.Data.Content -NoNewLine;

            ## If you use IIS as I did - make sure theres a mimetype for files without ending.
            ## The mimetype can be added with extension="." and type="text/plain" in your IIS configuration.
            # Check if the challenge is readable
            $result = Invoke-WebRequest $challenge.Data.AbsoluteUrl;

            if ($result.Content -eq $challenge.Data.Content) {

                # Signal the ACME server that the challenge is ready
                $challenge | Complete-ACMEChallenge $state;
            }
            else  {
                Write-Host $result
                throw "Invoke-WebRequest failed! Check mimetype settings."
            }
        }
    }
}

# Wait a little bit and update the order, until we see the states
while($order.Status -notin ("ready","invalid")) {
    Start-Sleep -Seconds 10;
    $order | Update-ACMEOrder $state -PassThru;
}

if ($order.Status -eq "ready" )
{
    # We should have a valid order now and should be able to complete it
    # Therefore we need a certificate key
    $certKey = New-ACMECertificateKey -Path "$stateDir\$certname.key.xml";

    # Complete the order - this will issue a certificate signing request
    Complete-ACMEOrder $state -Order $order -CertificateKey $certKey;

    # Now we wait until the ACME service provides the certificate url
    while(-not $order.CertificateUrl) {
        Start-Sleep -Seconds 15
        $order | Update-Order $state -PassThru
    }

    # Include a Password
    $securePassword = ConvertTo-SecureString $password -AsPlainText -Force

    # As soon as the url shows up we can create the PFX
    Export-ACMECertificate $state -Order $order -CertificateKey $certKey -Password $securePassword -Path "$stateDir\$certname.pfx";

    Write-Host "Look for your certificate in " $stateDir
}
else
{
   throw "The Order was invalid"
}

}
catch {
Write-Host "An error occurred:"
Write-Host $_
Write-Host $_.ScriptStackTrace
}

=========================================
Also create a file example-com.ps1 with the content

$stateDir = "C:\Temp\AcmeState";
$dnsList = ("example.com","www.example.com")

$wwwRoot = "C:\inetpub\wwwroot" # Change this to point to the directory
# where the website resides

$certname = "example-com-$(get-date -format yyyy-MM-dd--HH-mm)"
$password = "secretpassword"

$ScriptPath = Split-Path $MyInvocation.InvocationName
$cmd = "$ScriptPath\CreateAcmeCertificate.ps1"

& $cmd -stateDir "$stateDir" -dnsList $dnsList -wwwRoot "$wwwRoot" -certname "$certname" -password "$password"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kiwiingenuity @glatzert