WindowsサーバのIISにLet's Encryptで取得したワイルドカードSSL証明書をインポートする

WindowsサーバのIISにLet’s Encryptで取得したワイルドカードSSL証明書をインポートする方法を調べたのでまとめした。

  • Windows 2016
  • IIS 10

いろいろと試行錯誤したのですが、どうやらIISに対してSSL証明書を登録するためには、IISからCSRを作成する必要があるようです。しかし、Let’s Encryptを用いてSSL証明書を取得する場合、どのようなCSRで証明書を取得しているのかわかりません。その結果、IISにSSL証明書を登録することができません。

この問題を解決するために、PKISharp/win-acmeを利用します。このツールを利用することで、IISに自動的にLet’s Encryptから取得したSSL証明書を登録することができます。

PKISharp/win-acmeをダウンロード後、以下のように操作することでワイルドカードSSL証明書をIISに登録できました。

なお、手動でDNSにtxtレコードを登録、削除を間に挟んでいることに注意ください。

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
C:\Users\Administrator\Desktop\win-acme.v2.0.3.206>wacs.exe

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 2.0.3.206 (RELEASE)
 [INFO] IIS version 10.0
 [INFO] Please report issues at https://github.com/PKISharp/win-acme

 N: Create new certificate
 M: Create new certificate with advanced options
 L: List scheduled renewals
 R: Renew scheduled
 S: Renew specific
 A: Renew *all*
 O: More options...
 Q: Quit

 Please choose from the menu: M

 [INFO] Running in mode: Interactive, Advanced

 1: Single binding of an IIS site
 2: SAN certificate for all bindings of an IIS site
 3: SAN certificate for all bindings of multiple IIS sites
 4: Manually input host names
 <Enter>:

 Which kind of certificate would you like to create?: 4

 Enter comma-separated list of host names, starting with the common name: *.holiday88sg.com

 [INFO] Target generated using plugin Manual: *.holiday88sg.com

 Suggested FriendlyName is '[Manual] *.holiday88sg.com', press enter to accept or type an alternative: <Enter>

 1: [dns-01] CNAME the record to a server that supports the acme-dns API
 2: [dns-01] Manually create record
 3: [dns-01] Run script to create and update records
 <Enter>: Abort

 How would you like to validate this certificate?: 2

 1: Elliptic Curve key
 2: Standard RSA key pair

 What kind of CSR would you like to create?: 2

 1: IIS Central Certificate Store
 2: Windows Certificate Store
 3: Write .pem files to folder (Apache, ngnix, etc.)

 How would you like to store this certificate?: 2

 1: Create or update https bindings in IIS
 2: Do not run any installation steps
 3: Run a custom script
 C: Abort

 Which installer should run for the certificate?: 2

 [INFO] Authorize identifier: xxx.com
 [INFO] Authorizing xxx.com using dns-01 validation (Manual)

 Domain:             xxx.com
 Record:             _acme-challenge.xxx.com
 Type:               TXT
 Content:            "2n6Q9rawV9C1sCAzVhpIQqpgJh1EtSDMIaz2zYus7sc"
 Note 1:             Some DNS control panels add quotes automatically. Only one set is required.
 Note 2:             Make sure your name servers are synchronised, this may take several minutes!

 Please press enter after you've created and verified the record

 [INFO] Answer should now be available at _acme-challenge.xxx.com
 [WARN] Preliminary validation failed, found (null) instead of 2n6Q9rawV9C1sCAzVhpIQqpgJh1EtSDMIaz2zYus7sc
 [INFO] Authorization result: valid

 Domain:             xxx.com
 Record:             _acme-challenge.xxx.com
 Type:               TXT
 Content:            "2n6Q9rawV9C1sCAzVhpIQqpgJh1EtSDMIaz2zYus7sc"

 Please press enter after you've deleted the record

 [INFO] Requesting certificate [Manual] *.xxx.com
 [INFO] Installing certificate in the certificate store
 [INFO] Adding certificate [Manual] *.xxx.com 2019/5/11 8:06:48 to store WebHosting
 [INFO] Installing with None...

 Do you want to replace the existing task? (y/n*)  - yes

 [INFO] Deleting existing task win-acme renew (acme-v02.api.letsencrypt.org) from Windows Task Scheduler.
 [INFO] Adding Task Scheduler entry with the following settings
 [INFO] - Name win-acme renew (acme-v02.api.letsencrypt.org)
 [INFO] - Path C:\Users\Administrator\Desktop\win-acme.v2.0.3.206
 [INFO] - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 [INFO] - Start at 09:00:00
 [INFO] - Time limit 02:00:00

 Do you want to specify the user the task will run as? (y/n*)  - yes

 Enter the username (Domain\username): Administrator

 Enter the user's password: *********

 [INFO] Adding renewal for [Manual] *.holiday88sg.com
 [INFO] Next renewal scheduled at 2019/7/5 8:06:48

 N: Create new certificate
 M: Create new certificate with advanced options
 L: List scheduled renewals
 R: Renew scheduled
 S: Renew specific
 A: Renew *all*
 O: More options...
 Q: Quit

 Please choose from the menu: q