Generate SSL Certificate for FintechOS

This FintechOS guide explains how to generate an SSL certificate for a Fully Qualified Domain Name (FDQN) on a Windows Server machine using the win-acme tool.

  1. Make sure that ports 80 and 443 on your environment allow Internet connectivity.
  2. Download the tool from the official win-acme release page.
  3. Run wacs.exe as administrator.
  4. Type M to create a certificate with full options.
    Copy
    N: Create certificate (default settings)
    M: Create certificate (full options)
    R: Run renewals (0 currently due)
    A: Manage renewals (1 total)
    O: More options...
    Q: Quit 
    Please choose from the menu: M 
  5. Type 2 to manually input the domain names included in the certificate.
    Copy
    Please specify how the list of domain names that will be included in the
    certificate should be determined. If you choose for one of the "all bindings"
    options, the list will automatically be updated for future renewals to
    reflect the bindings at that time.
    1: Read bindings from IIS
    2: Manual input
    3: CSR created by another program
    C: Abort 
    How shall we determine the domain(s) to include in the certificate?: 2 
  6. Enter the FDQN you want to use. E.g.: vm-customer360-dev.westeurope.cloudapp.azure.com
    Copy
    Description:        A host name to get a certificate for. This may be a
                        comma-separated list. 
    Host: vm-customer360-dev.westeurope.cloudapp.azure.com
    Source generated using plugin Manual: vm-customer360-dev.westeurope.cloudapp.azure.com 
    Friendly name '[Manual] vm-customer360-dev.westeurope.cloudapp.azure.com'. <Enter> to accept or type desired name: vm-customer360-dev.westeurope.cloudapp.azure.com 
  7. Type 2 to serve the verification files from memory.
    Copy
    The ACME server will need to verify that you are the owner of the domain
    names that you are requesting the certificate for. This happens both during
    initial setup *and* for every future renewal. There are two main methods of
    doing so: answering specific http requests (http-01) or create specific dns
    records (dns-01). For wildcard domains the latter is the only option. Various
    additional plugins are available from https://github.com/win-acme/win-acme/. 
    1: [http-01] Save verification files on (network) path
    2: [http-01] Serve verification files from memory
    3: [http-01] Upload verification files via FTP(S)
    4: [http-01] Upload verification files via SSH-FTP
    5: [http-01] Upload verification files via WebDav
    6: [dns-01] Create verification records manually (auto-renew not possible)
    7: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
    8: [dns-01] Create verification records with your own script
    9: [tls-alpn-01] Answer TLS verification request from win-acme
    C: Abort 
    How would you like prove ownership for the domain(s)?: 2
  8. Type 2 to select the RSA key type.
    Copy
    After ownership of the domain(s) has been proven, we will create a
    Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
    determines properties of the certificate like which (type of) key to use. If
    you are not sure what to pick here, RSA is the safe default. 
    1: Elliptic Curve key
    2: RSA key
    C: Abort 
    What kind of private key should be used for the certificate?: 2
  9. Type 2 to store the certificate as PEM encoded files.
    Copy
    When we have the certificate, you can store in one or more ways to make it
    accessible to your applications. The Windows Certificate Store is the default
    location for IIS (unless you are managing a cluster of them).
    1: IIS Central Certificate Store (.pfx per host)
    2: PEM encoded files (Apache, nginx, etc.)
    3: PFX archive
    4: Windows Certificate Store
    5: No (additional) store steps
    How would you like to store the certificate?: 2 
  10. Type 2 to insert the path where you wish to store the certificates from the console. E.g.: C:\Users\john.doe\Documents)
    Copy
    Description:        .pem files are exported to this folder.
    File path: .
    Description:        Password to set for the private key .pem file.
    1: None
    2: Type/paste in console
    3: Search in vault 
    Choose from the menu: 2
  11. Type 1 to disable password protection for the private key file.
    Copy
    Description:        Password to set for the private key .pem file.
    1: None
    2: Type/paste in console
    3: Search in vault 
    Choose from the menu: 2
  12. Type 5 to decline any additional store steps.
    Copy
    1: IIS Central Certificate Store (.pfx per host)
    2: PEM encoded files (Apache, nginx, etc.)
    3: PFX archive
    4: Windows Certificate Store
    5: No (additional) store steps
    Would you like to store it in another way too?: 5 
    Installation plugin IIS not available: This step cannot be used in combination with the specified store(s)