diff options
Diffstat (limited to 'docs/manual/advanced-use/examples')
| -rw-r--r-- | docs/manual/advanced-use/examples/apache.md | 99 | ||||
| -rw-r--r-- | docs/manual/advanced-use/examples/exchange.md | 53 | ||||
| -rw-r--r-- | docs/manual/advanced-use/examples/index.md | 10 | ||||
| -rw-r--r-- | docs/manual/advanced-use/examples/rds.md | 27 |
4 files changed, 0 insertions, 189 deletions
diff --git a/docs/manual/advanced-use/examples/apache.md b/docs/manual/advanced-use/examples/apache.md deleted file mode 100644 index b72de7a..0000000 --- a/docs/manual/advanced-use/examples/apache.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -sidebar: manual ---- - -# Apache -To get the certificate in the correct format for Apache (i.e. `.pem` files), you have to active -the [PemFiles plugin](/win-acme/reference/plugins/store/pemfiles) for each of your renewals. -For **new** renewals this can be done either from the command line with `--store pemfiles` or -from the main menu with the `M` option, where it will be posed as a question ("How would you -like to store this certificate?"). - -Existing renewals that are set up without the PemFiles plugin (which unfortunately includes -those [imported](/win-acme/manual/upgrading/to-v2.0.0) from 1.9.x) cannot be modified with a -command line switch or settings change. You will have to re-create them one by one, or manually -modify the `.json` files on disk. - -## Getting the certificate in .pem format - -### Interactive -- Choose `M` in the main menu (create with full options) -- Choose "Manually input host names" as target -- Input the domain name(s) -- Choose or accept the friendly name -- Pick a validation method. Most common would be to save to a local path -- Pick your key type -- Now the critical part: at "How would you like to store this certificate?" pick `Write .pem files to folder (Apache, nginx, etc.)` -- And so on... - -### Unattended -`wacs.exe --target manual --host www.example.com --validation filesystem --webroot "C:\htdocs\www\example.com" --store pemfiles --pemfilespath C:\apache-certs` - -### Pro tip -If you don't want to have to specify the path for the `.pem` files each time, you can -edit `settings.json` in the program directory and set the `DefaultPemFilesPath` -option. - -## Configuring Apache -To use certificates obtained with the help of WACS with the Apache 2.4 server, you need -to make settings in `Apache24\conf\extra\httpd-vhosts.conf` file; you could also make -these changes in the `\Apache24\conf\extra\httpd-ssl.conf` file as well instead if -you so wish: - -``` -Define CERTROOT "C:/apache-certs" -Define SITEROOT "C:/htdocs/www" -.... -<VirtualHost *:443> - ServerName www.example.com - DocumentRoot "${SITEROOT}/example.com" -.... - SSLEngine on - SSLCertificateFile "${CERTROOT}/example.com-chain.pem" - SSLCertificateKeyFile "${CERTROOT}/example.com-key.pem" -</VirtualHost> -``` - -Obviously replace `example.com` with your actual domain name your siteroot to -where you're hosting your files. - -### Enable SSL -Do not forget to uncomment `LoadModule ssl_module modules/mod_ssl.so` in `Apache24\conf\httpd.conf` -file if it's not already uncommented. You also need to add `Listen 443` or `Listen 80 443`. - -### Not for XAMPP uses -You don't need the `/example.com` at the end after `"${SITEROOT}"` so it -should just read as: `DocumentRoot "${SITEROOT}"` for that one line or else -(at least according to my case), would result in an object not found 404 error -when you visit your domain page. - -Also, according to Apache standards, backslash means escaping characters so if you wanted to -use backslash as a way for defining directories, then you're supposed to use another one -so it looks like `C:\\XAMPP\\Apache\\somestuff` but apparently the developers have modded -it so that it doesn't really matter if you double slash or not or use forward slash instead -of a single back slash - they all work the same regardless, at least as of version -3.2.2 of XAMPP. - -## Addendum -If you want to use your own folder to store certificates, you can use this cmd script is -for copying (for example, with name `installcert.cmd`): - -``` -@echo off -if "%~1" == "" exit -if not exist "%2" md "%2" >nul -set certlist=%3-chain.pem,%3-key.pem -echo Script running... -for %%a in (%certlist%) do copy /y "%ProgramData%\win-acme\%1\%%a" "%2\" >nul && echo. [INFO] Install %%a to Certificate Store in %2... OK || echo. [WARN] Install certificate %%a fieled! -echo. [INFO] Restarting service... -C:\Apache24\bin\httpd.exe -k restart -echo. [INFO] Service restarted. -echo. [INFO] Script finished. -``` -This script is called with parameters: -`LEWSuriDirectory CertFolder DomainName` - -For example: -`wacs.exe --target manual --host www.example.com --webroot "C:\htdocs\www\example.com" --validation filesystem --script "installcert.cmd" --scriptparameters "acme-v02.api.letsencrypt.org C:\cert www.example.com"` - -Also you must specify a new path to the folder with certificates in your `httpd-vhosts.conf`.
\ No newline at end of file diff --git a/docs/manual/advanced-use/examples/exchange.md b/docs/manual/advanced-use/examples/exchange.md deleted file mode 100644 index 7bb444c..0000000 --- a/docs/manual/advanced-use/examples/exchange.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -sidebar: manual ---- - -# Microsoft Exchange -Choose the domains that you want to generate the certificate for. Note that Let's Encrypt only -issues certificates to public domains, that means no Active Directory server names or domain suffixes -that are only known inside of your intranet can be used. You can specify a maximum of 100 domains -in a certificate. - -Assumptions made in this example: - -- We want to generate the certificate for three domains - - mail.example.com - - webmail.example.com - - autodiscover.example.com -- mail.example.com will be the common name, hence we put it first -- OWA is running in the Default Web Site of IIS with Site Id `1`. -- We want to enable the certificate for SMTP and IMAP - -## Interactive -- Create certificate with full options -- Manually input host names -- [http-01] Self-host verification files -- Create or update https bindings in IIS -- Would you like to add another installer step? (y/n): Y -- Run a custom script -- Would you like to add another installer step? (y/n): N -- Choose site to create new bindings: Default Web Site (or where ever OWA is at) -- Enter the path to the script that you want to run after renewal: `./Scripts/ImportExchange.ps1` -- Enter the parameter format string for the script: `'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'` - -## Unattended -- Without Central Certificate Store - `wacs.exe --target manual --host mail.example.com,webmail.example.com,autodiscover.example.com --certificatestore My --acl-fullcontrol "network service,administrators" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"` - -- With Central Certificate Store -`wacs.exe --target manual --host mail.example.com,webmail.example.com,autodiscover.example.com --store centralssl --centralsslstore "C:\Central SSL" --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"` - -## Verification -To make sure all is working properly, I'd encourage you to use the -[Microsoft's Remote Connectivity Analyzer](https://testconnectivity.microsoft.com/). -The Autodiscover and ActiveSync Autodiscover tests are really useful for testing this out. -With Outlook 2016 requiring the use of [Autodiscover to connect to Exchange](http://blogs.technet.com/b/exchange/archive/2015/11/19/outlook-2016-what-exchange-admins-need-to-know.aspx), -verifying that this works properly is an important step is making sure your environment is setup correctly. - -## References -- [Assign certificates to Exchange services](https://technet.microsoft.com/en-us/library/dd351257%28v=exchg.160%29.aspx) -- [Import certificates into Exchange](https://technet.microsoft.com/en-us/library/bb124424(v=exchg.160).aspx) -- [Add MIME Type](https://support.microsoft.com/en-us/kb/326965) -- [Namespace planning in Exchange 2016](http://blogs.technet.com/b/exchange/archive/2015/10/06/namespace-planning-in-exchange-2016.aspx) -- [Exchange Server 2016 Client Access Namespace configuration](http://exchangeserverpro.com/exchange-server-2016-client-access-namespace-configuration/) -- [Install Exchange 2016 in your lab](https://supertekboy.com/2015/09/22/install-exchange-2016-in-your-lab-part-5/)
\ No newline at end of file diff --git a/docs/manual/advanced-use/examples/index.md b/docs/manual/advanced-use/examples/index.md deleted file mode 100644 index 949316d..0000000 --- a/docs/manual/advanced-use/examples/index.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -sidebar: manual ---- -# Examples -There are some [example scripts](https://github.com/PKISharp/win-acme/tree/master/dist/Scripts) -bundled with win-acme releases as a reference and inspiration for people looking to handle custom -[installation](/win-acme/reference/plugins/installation/script) or -[DNS validation](/win-acme/reference/plugins/validation/dns/script). - -The scripts are provided as-is. Caution is advised before running them on production systems.
\ No newline at end of file diff --git a/docs/manual/advanced-use/examples/rds.md b/docs/manual/advanced-use/examples/rds.md deleted file mode 100644 index 5eb51ae..0000000 --- a/docs/manual/advanced-use/examples/rds.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -sidebar: manual ---- - -# Remote Desktop Services -How to generate a Certificate for Microsoft Remote Desktop Servers - -## Running the client -Assuming you've a simple all in one Remote Desktop Server setup with the roles RD Gateway, RD Connection Broker -and RD Web Access, you have to import the certificate into the IIS site and additionally configure it for the -installed RD roles. For IIS the standard plugin is used, for the RD roles, the included `ImportRDSFull.ps1` is -used. - -## Configuration -In order for this script to work, the private key of the certificate needs to be marked as exportable. -Set `PrivateKeyExportable` in `settings.json` to `true`. - -The script accepts two parameters: CertThumbprint and RDCB. RDCB specifies the Remote Desktop Connection Broker -(RD Connection Broker) server for a Remote Desktop deployment. If you don't specify a value, the script uses the local -computer's fully qualified domain name (FQDN). - -## Unattended -- When specific domain names are configured in the IIS bindings, we can use them automatically -`wacs.exe --target iis --siteid 1 --certificatestore My --installation iis,script --script "Scripts\ImportRDSFull.ps1" --scriptparameters "{CertThumbprint}"` - -- When only blank/catch-all binding are configured in IIS, we have to be explicit about the domain name(s) that we want -`wacs.exe --target manual --hostname rds.example.com --certificatestore My --installation iis,script --installationsiteid 1 --script "Scripts\ImportRDSFull.ps1" --scriptparameters "{CertThumbprint}"`
\ No newline at end of file |