adopt bugfixes fluentcommandlineparser

15 files changed, 211 insertions, 15 deletions

diff --git a/docs/reference/plugins/csr/ec.md b/docs/reference/plugins/csr/ec.md
index 9cbb12c..6a4ee3a 100644
--- a/docs/reference/plugins/csr/ec.md
+++ b/docs/reference/plugins/csr/ec.md
@@ -1,3 +1,14 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# Elliptic Curve
+Generates ECDSA keys based on the `secp384r1` curve. The curve to use can be 
+configured in [settings.config](/win-acme/reference/settings) but currently only 
+SEC named curves are supported by this program. The ACME server provider may 
+also have limitations.
+
+{% include csr-common.md %}
+
+## Unattended
+`--csr ec`
\ No newline at end of file
diff --git a/docs/reference/plugins/csr/index.md b/docs/reference/plugins/csr/index.md
index 9cbb12c..236a730 100644
--- a/docs/reference/plugins/csr/index.md
+++ b/docs/reference/plugins/csr/index.md
@@ -1,3 +1,14 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# CSR plugins
+
+CSR plugins are responsible for providing certificate requests that the ACME server can sign. 
+They determine key properties such as the private key, applications and extensions. When 
+a CSR is used as [target](/win-acme/reference/plugins/target/csr), no CSR plugin can be chosen
+and the third party application is expected to take care of the private key and extensions instead.
+
+## Default
+
+The default is an [RSA](/win-acme/reference/plugins/csr/rsa) private key.
\ No newline at end of file
diff --git a/docs/reference/plugins/csr/rsa.md b/docs/reference/plugins/csr/rsa.md
index 9cbb12c..70ad42f 100644
--- a/docs/reference/plugins/csr/rsa.md
+++ b/docs/reference/plugins/csr/rsa.md
@@ -1,3 +1,14 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# RSA
+Default plugin, generates 3072 bits RSA key pairs. The number of bits can be configured in 
+[settings.config](/win-acme/reference/settings) but may not be less than 2048. For 
+improved compatiblitity with Microsoft Exchange, RSA keys are automatically converted to the
+`Microsoft RSA SChannel Cryptographic Provider`.
+
+{% include csr-common.md %}
+
+## Unattended
+`[--csr rsa]`
\ No newline at end of file
diff --git a/docs/reference/plugins/installation/iisftp.md b/docs/reference/plugins/installation/iisftp.md
index 9cbb12c..416e5fb 100644
--- a/docs/reference/plugins/installation/iisftp.md
+++ b/docs/reference/plugins/installation/iisftp.md
@@ -1,3 +1,12 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# IIS FTP
+Create or update FTP site bindings in IIS, according to the following logic:
+
+- Any existing FTP sites linked to the previous certificate are updated to use the new certificate.
+- The target FTP site will be updated to use the new certificate.
+
+## Unattended 
+``--installation iisftp [--installationsiteid x]`
\ No newline at end of file
diff --git a/docs/reference/plugins/installation/iisweb.md b/docs/reference/plugins/installation/iisweb.md
index 9cbb12c..2a04dc1 100644
--- a/docs/reference/plugins/installation/iisweb.md
+++ b/docs/reference/plugins/installation/iisweb.md
@@ -1,3 +1,34 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# IIS Web
+Create or update website bindings in IIS, according to the following logic:
+
+- Existing https bindings in *any* site linked to the previous certificate are updated to use the new certificate.
+- Hosts names which are determined to not yet have been covered by any existing binding, will be processed further.
+  - All existing https bindings in *target* site whose hostnames match with the new certificate are updated 
+    to use the new certificate. This happens even if they are using certificates issued by other authorities. 
+	(Note that if you want to prevent this from happening, you can use the `--excludebindings` switch).
+  - If no existing https binding can be found, a new binding is created.
+    - It will create bindings on the specified installation site and fall back to the target site if there is none.
+	- It will use port `443` on IP `*` unless different values are specified with the `--sslport` and/or 
+	  `--sslipaddress` switches.
+  - New bindings will be created or updated for matching host headers with the most specific match. E.g. if you 
+    generate a certificate for `a.b.c.com`, the order of preference for the binding creation/change will be:
+      1. a.b.c.com  
+      2. *.b.c.com
+      3. *.c.com
+      4. *.com
+      5. Default (emtpy) binding
+  - If the certificate contains a wildcard domain, the order of preference will be:
+      1. *.a.b.c.com
+      2. x.a.b.c.com
+  - In both cases, the first preferred option will be created from scratch if none of the later options 
+    are available.
+  - In some cases the plugin will not be able to (safely) add a new binding on older versions of IIS, e.g. due to
+    lack of support for SNI and/or wildcard bindings. In that case the user will have to create them manually. 
+	Renewals will still be automatic after this initial manual setup.
+
+## Unattended 
+`--installation iis [--installationsiteid x] [-sslport x] [--sslipaddress x]`
\ No newline at end of file
diff --git a/docs/reference/plugins/installation/index.md b/docs/reference/plugins/installation/index.md
index 9cbb12c..1cfd89a 100644
--- a/docs/reference/plugins/installation/index.md
+++ b/docs/reference/plugins/installation/index.md
@@ -1,3 +1,18 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# Installation plugins
+Installation plugins are responsible for making the necessary changes to your 
+application(s) after successfully creating or renewing a certificate. Currently 
+there are three of these plugins.
+
+## Multiple
+More than one plugin can run by choosing them in order of execution. In interactive mode you 
+will be asked, for unattended mode you can provide a comma seperated list, 
+e.g. `--installation certificatestore,pemfiles`
+
+## Default
+In simple mode the default installation plugin is [IIS Web](/win-acme/reference/plugins/installation/iisweb). 
+In full options and unattended modes there are no default installation steps, you have to explicitly 
+choose them from the interface or using the `--installation` switch.
\ No newline at end of file
diff --git a/docs/reference/plugins/installation/script.md b/docs/reference/plugins/installation/script.md
index 9cbb12c..8951bde 100644
--- a/docs/reference/plugins/installation/script.md
+++ b/docs/reference/plugins/installation/script.md
@@ -1,3 +1,43 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# Script
+Runs an external script or executable after a succesful renewal. This may be a `.bat`, `.ps1` or even `.exe`.
+You provide the program with the path to the script and it will run automatically.
+
+## Parameters
+The following variables can be provided from the program to the script as command line arguments.
+
+```
+{0} or {CertCommonName}    - Common name (primary domain name)
+{1} or {CachePassword}     - The .pfx password (generated randomly for each renewal)
+{2} or {CacheFile}         - Full path of the cached.pfx file
+{4} or {CertFriendlyName}  - Friendly name of the generated certificate
+{5} or {CertThumbprint}    - Thumbprint of the generated certificate
+{7} or {RenewalId}         - Id of the renewal
+
+{3} or {6} or {StorePath}  - Path or store name used by the store plugin
+{StoreType}                - Name of the plugin (CentralSsl, CertificateStore or PemFiles)
+```
+
+## Example
+If you need your scripts parameters to look something like this:
+
+`action=import file=C:\mydomain.pfx password=*****`
+
+Then your argument string should look like this:
+
+`action=import file={CacheFile} password={CachePassword}`
+
+## Unattended 
+`--installation script --script C:\script.bat [--scriptparameters x]`
+
+### Parameter escaping
+If you need to put double quotes around your parameters from the command line, you have to escape them with a slash, for example:
+
+`--scriptparameters "action=import file=\"{CacheFile}\" password=\"{CachePassword}\""`
+
+For **Powershell** scripts, string parameters can also be delimited with **single** quotes, for example:
+
+`--scriptparameters "action=import file='{CacheFile}' password='{CachePassword}'"`
diff --git a/docs/reference/plugins/store/centralssl.md b/docs/reference/plugins/store/centralssl.md
index 9cbb12c..0662969 100644
--- a/docs/reference/plugins/store/centralssl.md
+++ b/docs/reference/plugins/store/centralssl.md
@@ -1,3 +1,13 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# IIS Central SSL Store (CSS)
+Designed for the [Central Certificate Store](https://blogs.msdn.microsoft.com/kaushal/2012/10/11/central-certificate-store-ccs-with-iis-8-windows-server-2012/) 
+introduced in Windows 2012. Creates a separate copy of the `.pfx` file for each hostname and places 
+it in the path provided by the `--centralsslstore` parameter, or the `DefaultCentralSslStore` setting
+in [settings.config](/win-acme/reference/settings). Using this store also triggers any created or 
+updated IIS bindings to get the `CentralSSL` flag. 
+
+## Unattended
+`--store centralssl [--centralsslstore C:\CentralSSL\] [--pfxpassword *****]`
\ No newline at end of file
diff --git a/docs/reference/plugins/store/certificatestore.md b/docs/reference/plugins/store/certificatestore.md
index 9cbb12c..0797ab0 100644
--- a/docs/reference/plugins/store/certificatestore.md
+++ b/docs/reference/plugins/store/certificatestore.md
@@ -1,3 +1,18 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# Windows Certificate Store
+Default plugin, saves certificates to the Windows Certificate store. Which store is used is based on the following priorities:
+
+- Store configured for the specific renewal
+- Global default is configured in [settings.config](/win-acme/reference/settings)
+- `WebHosting` store (if it exists, i.e. Windows 2012+ with IIS)
+- The machine-level `My` store (better known as Personal)
+
+## Keep existing
+The `--keepexisting` switch can be used to prevent the program from deleting older 
+versions of the certificate from the store.
+
+## Unattended
+`[--store certificatestore] [--certificatestore My] [--keepexisting]`
\ No newline at end of file
diff --git a/docs/reference/plugins/store/index.md b/docs/reference/plugins/store/index.md
index 9cbb12c..e77fb74 100644
--- a/docs/reference/plugins/store/index.md
+++ b/docs/reference/plugins/store/index.md
@@ -1,3 +1,21 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# Store plugins
+
+Store plugins are responsible for storing issued certificates in their permanent location(s). 
+The program will cache the certificate in a `.pfx` file in its CertificatePath (which defaults
+to `%programdata%\win-acme\certificates`) but these files are protected by random passwords to
+prevent local non-administrators from obtaining keys. Store plugins are responsible for making
+the certificates accessible to the application(s) that need them.
+
+## Multiple
+
+More than one plugin can run by choosing them in order of execution. In interactive mode you 
+will be asked, for unattended mode you can provide a comma seperated list, 
+e.g. `--store certificatestore,pemfiles`
+
+## Default
+
+The default is the [Windows Certificate Store](/win-acme/reference/plugins/store/certificatestore).
\ No newline at end of file
diff --git a/docs/reference/plugins/store/pemfiles.md b/docs/reference/plugins/store/pemfiles.md
index 9cbb12c..4053510 100644
--- a/docs/reference/plugins/store/pemfiles.md
+++ b/docs/reference/plugins/store/pemfiles.md
@@ -1,3 +1,12 @@
 ---
 sidebar: reference
----
\ No newline at end of file
+---
+
+# PemFiles
+Designed for [Apache](/win-acme/manual/advanced-use/examples/apache), nginx and other web servers. 
+Exports a `.pem` file for the certificate and private key and places them in 
+the path provided by the `--pemfilespath` parameter, or the `DefaultPemFilesPath` 
+setting in [settings.config](/win-acme/reference/settings). 
+
+## Unattended
+`--store pemfiles [--pemfilespath C:\Certificates\]`
\ No newline at end of file
diff --git a/docs/reference/plugins/target/index.md b/docs/reference/plugins/target/index.md
index b17edad..af4e5ac 100644
--- a/docs/reference/plugins/target/index.md
+++ b/docs/reference/plugins/target/index.md
@@ -6,4 +6,8 @@ sidebar: reference
 
 A target plugin is responsible for providing information about a (potential) certificate to the rest of the program. 
 Its primary purpose is to determine which host names should be included in the SAN list, but can also provide extra 
-information such as the preferred common name or bindings to exclude.
\ No newline at end of file
+information such as the preferred common name or bindings to exclude.
+
+## Default
+
+There is no default target plugin, it always has to be chosen by the user.
\ No newline at end of file
diff --git a/docs/reference/plugins/validation/http/index.md b/docs/reference/plugins/validation/http/index.md
index 71a67b9..41a4f3d 100644
--- a/docs/reference/plugins/validation/http/index.md
+++ b/docs/reference/plugins/validation/http/index.md
@@ -10,8 +10,9 @@ but for the sake of this explanation it will suffice).
 - The client has to make sure that when the ACME server makes a request 
 to `http://sub.example.com/.well-known/acme-challenge/x`, the answer will be exactly `y`.
 - The validation request is *always* made to port 80, that cannot be changed. 
+- Let's Encrypt **does** follow 301/302 redirects
 - There may be more than one validation request for the same token, e.g. from 
 different locations or different protocols (IPv4/IPv6).
-- Let's Encrypt does *not* disclose the source locations of these requests, which 
+- Let's Encrypt does **not** disclose the source locations of these requests, which 
 effectively means that the domain has to be accessible for the public, 
 at least for the duration of the validation.
\ No newline at end of file
diff --git a/docs/reference/plugins/validation/http/selfhosting.md b/docs/reference/plugins/validation/http/selfhosting.md
index 649c248..6ce5081 100644
--- a/docs/reference/plugins/validation/http/selfhosting.md
+++ b/docs/reference/plugins/validation/http/selfhosting.md
@@ -10,5 +10,10 @@ Not all software supports this port sharing feature though. If you get errors
 telling you that the listener cannot be started, please look for another
 validation method.
 
+## Non-default port
+Even though Let's Encrypt will always send validation requests to port 80, 
+you may internally proxy, NAT or redirect that to another port. Using the 
+`--validationport` switch you can tell the plugin to listen to a specific port.
+
 ## Unattended 
-`[--validation selfhosting]`
\ No newline at end of file
+`[--validation selfhosting] [--validationport 8080]`
\ No newline at end of file
diff --git a/docs/reference/plugins/validation/index.md b/docs/reference/plugins/validation/index.md
index 2f6d14f..f5b8f0d 100644
--- a/docs/reference/plugins/validation/index.md
+++ b/docs/reference/plugins/validation/index.md
@@ -2,6 +2,8 @@
 sidebar: reference
 ---
 
+# Validation plugins
+
 A validation plugin is responsible for providing the ACME server with proof that you own the identifiers 
 (host names) that you want to create a certificate for. The 
 [ACMEv2 protocol](https://tools.ietf.org/html/draft-ietf-acme-acme-18) defines different challenge types, 
@@ -13,4 +15,8 @@ For wildcard identifiers, only DNS validation is accepted by Let's Encrypt.
 Other challenge types are not supported for various reasons:
 - `TLS-ALPN-01` - under investigation (see [#990](https://github.com/PKISharp/win-acme/issues/990))
 - `TLS-SNI-01/-02` - deprecated and all but removed
-- `PROOFOFPOSSESSION-01` - unknown
\ No newline at end of file
+- `PROOFOFPOSSESSION-01` - unknown
+
+## Default
+
+By default, the [self-hosting plugin](/win-acme/reference/plugins/validation/http/selfhosting) is used.
\ No newline at end of file