Functional useThis web client is used to: apply for free SSL/TLS domain name certificates (RSA, ECC/ECDSA) for HTTPS from Let's Encrypt , ZeroSSL , Google and other certificate authorities that support the ACME protocol, and support multiple domain names and wildcard pan-domain names; Simply operate on a modern browser to obtain a domain name certificate in plain text in PEM format, does not depend on the operating system environment, does not need to download and install software, and is purely manual, only focus on the only thing that is to apply for and obtain a certificate.
Easy to useClick the mouse and Ctrl+C Ctrl+V to complete the certificate application. The whole process requires less operations, and there are nanny level operation prompts at each step; UI friendly, atmospheric and beautiful; This client does not need to register an account, and does not need to log in.
開源項目本網頁使用者端原始碼已開源,訪問網址由託管倉庫提供,原始碼透明可追溯。
Open source projectThe source code of the client side of this webpage has been open sourced, and the access URL is provided by the hosting warehouse, and the source code is transparent and traceable.
單一檔案本網頁使用者端僅一個靜態 HTML 檔案,不依賴其他任何檔案;因此可以直接儲存到你本地(右鍵-另存為),即可透過瀏覽器開啟。
A single fileThis web client is only a single static HTML web page file and does not depend on any other files; therefore, it can be directly saved to your local (right-click - save as), and you can open it through a browser.
Data securityExcept for the ACME interface address of the certificate authority you specify, this web client will not send data to any other address, and it is easy to check the network data through the browser console.
系統安全純網頁應用,不會也無法對你的電腦系統做出任何修改。
System securityPure web application, will not and cannot make any modification to your computer system.
Certificate Expiration Risk AlertSince this web client can only be operated manually and does not support automatic renewal, you should pay attention to apply for a new certificate before the certificate expires (free certificates are generally valid for 90 days, you only need to repeat the operation at that time), or use acme.sh and other client automatic renewal.
步驟一:選擇證書頒發機構Step 1: Select a Certificate Authority
Let's Encrypt:
請按照下面的操作步驟提示進行申請即可得到證書,證書有效期90天。Please follow the operation steps prompts below to apply, and you can get the certificate, which is valid for 90 days.
ZeroSSL:
此URL可能需要先根據下面的提示進行操作來消除跨域不能訪問的問題。This URL may need to be operated according to the prompts below to eliminate the problem of cross-domain inaccessibility.申請證書前,你需要根據ZeroSSL的官方檔案,先註冊ZeroSSL帳號並生成一個EAB憑據,每次申請證書時使用此EAB憑據,按照下面的操作步驟提示進行申請即可得到證書,證書有效期90天。Before applying for a certificate, you need to follow ZeroSSL's official documents, register a ZeroSSL account and generate an EAB credential, and use this EAB credential every time you apply for a certificate, follow the operation steps prompts below to apply, and you can get the certificate, which is valid for 90 days.
Google Trust Services:
此URL可能需要先根據下面的提示進行操作來消除跨域不能訪問的問題。This URL may need to be operated according to the prompts below to eliminate the problem of cross-domain inaccessibility.申請證書前,你需要根據Google的官方檔案,在Google Cloud中生成一個EAB憑據,每次申請證書時使用此EAB憑據,按照下面的操作步驟提示進行申請即可得到證書,證書有效期90天。Before applying for a certificate, you need to follow Google's official documents, generate an EAB credential in Google Cloud, and use this EAB credential every time you apply for a certificate, follow the operation steps prompts below to apply, and you can get the certificate, which is valid for 90 days.注意:因為同一個Google EAB憑據只能綁定到一個ACME帳號(私鑰),因此你在首次申請證書時,必須同時儲存好在第二步操作中新創建的或手動填寫的ACME帳號私鑰,下次申請證書時使用此EAB憑據必須和已儲存的ACME帳號私鑰一起使用。Note: Because the same Google EAB credential can only be bound to one ACME account (Private key), when you apply for a certificate for the first time, you must also save the newly generated or manually filled ACME account private key in the second step, this EAB credential must be used together with the saved ACME account private key when applying for a certificate next time.
溫馨提示:如果上次申請過證書,可以拖拽已下載儲存的紀錄LOG檔案到本頁面,將自動填充上次的設定資訊。Reminder: If you have applied for a certificate last time, you can drag and drop the downloaded and saved record LOG file to this page, and the last configuration information will be automatically filled in.
*證書中要包含的域名:Domain name to be included in the certificate:
一個證書可以包含多個域名(支援通配符),比如填寫:a.com, *.a.com, b.com, *.b.com;第一個域名將作為證書的通用名稱(Common Name);帶通配符的域名只支援DNS驗證,其他域名支援上傳檔案驗證;注意:填了www.a.com時,一般需要額外填上a.com。A certificate can contain multiple domain names (wildcard are supported), for example, fill in: a.com, *.a.com, b.com, *.b.com; the first domain name will be used as the Common Name of the certificate; Domain names with wildcard only support DNS verification, and other domain names support upload file verification ; Note: When www.a.com is filled in, it is generally necessary to fill in a.com additionally.
*證書的私鑰:Private key of certificate:
生成或填寫的私鑰僅用於ACME介面簽名,支援RSA(2048位+)、ECC(曲線)私鑰;注意:證書私鑰的類型決定了申請到的證書是RSA證書還是ECC(ECDSA)證書,RSA類型適用性更廣也更常見;本使用者端不會對此私鑰進行儲存或發送給其他任何人;證書籤發後在部署到伺服器時,需使用到此私鑰;建議每次申請證書時均生成新的證書私鑰。The generated or filled private key is only used for ACME interface signature, and supports RSA (2048-bit+) and ECC ( curve) private keys; Note: The type of certificate private key determines whether the applied certificate is an RSA certificate or a ECC(ECDSA) certificate, RSA type is more widely applicable and more common; this client will not save or send this private key to anyone else; this private key needs to be used when deploying to the server after the certificate is issued; it is recommended to generate a new certificate private key every time you apply for a certificate.
*ACME帳號的私鑰:Private key of ACME account:
生成或填寫的私鑰僅用於ACME介面簽名,支援RSA(2048位+)、ECC(曲線)私鑰;帳號私鑰類型對證書無影響;本使用者端不會對此私鑰進行儲存或發送給其他任何人;一個私鑰相當於一個帳號,可用於吊銷已簽發的證書;建議每次申請證書時使用相同的一個私鑰(這樣短期內多次申請證書時,驗證域名所有權的參數極有可能會保持相同),不過每次都生成一個新的私鑰大部分情況下也不會有問題。The generated or filled private key is only used for ACME interface signature, and supports RSA (2048-bit+) and ECC ( curve) private keys; the account private key type has no effect on the certificate; this client will not save or send this private key to anyone else; A private key is equivalent to an account and can be used to revoke an issued certificate; it is recommended to use the same private key every time you apply for a certificate (in this way, the parameters used to verify the domain name ownership are likely to remain identical when multiple certificate applications are made in a short period of time); However, generating a new private key every time will not be a problem in most cases.注意:如果你選擇的ACME服務(比如Google)要求提供EAB憑據並且限制了同一個EAB憑據只能綁定到一個ACME帳號(私鑰),那每次使用此EAB憑據時必須使用相同的一個私鑰(首次時如果新創建了私鑰,此新私鑰需立即儲存起來下次和此EAB憑據一起使用)。Note: If the ACME service you choose (such as Google) requires EAB credentials and limits the same EAB credentials to only one ACME account (private key), then you must use the same private key every time you use this EAB credential (if you generate a new private key for the first time, this new private key needs to be saved immediately and used with this EAB credential next time).
*ACME帳號的聯繫信箱:Contact email of ACME account:
此信箱地址用於證書頒發機構給你發送郵件,比如:證書過期前的續期通知提醒。This email address is used by the certificate authority to send you emails, such as a reminder of renewal notice before the certificate expires.
EAB憑據:EAB Credentials:
當前ACME服務要求提供外部帳號綁定憑據(External Account Binding),比如ZeroSSL:你可以在ZeroSSL的管理控制台的 Developer 中獲得此憑據,所以你需要先註冊一個ZeroSSL的帳號。The current ACME service requires external account binding credentials, such as ZeroSSL: You can obtain this credentials in the Developer of the ZeroSSL management console, so you need to register a ZeroSSL account first.
請給每個域名選擇一個你合適的驗證方式(推薦採用DNS驗證,比較簡單和通用),然後根據顯示的提示完成對應的設定操作。Please select a suitable verification method for each domain name (DNS Verify is recommended, which is relatively simple and common), and then complete the corresponding configuration operations according to the displayed prompts.
請每個域名選擇好對應的驗證方式,根據顯示的提示進行對應的設定操作;必須所有域名設定完成後,再來點擊下面的“開始驗證”按鈕進行驗證,如果驗證失敗,需要返回第二步重新開始操作。Please select the corresponding verify method for each domain name, and perform the corresponding configuration operation according to the displayed prompts; after all domain names are configured, click the "Start Verify" button below to verify, if the verify fails, you need to go back to the step 2 Start the operation.
開始驗證Start Verify取消Cancel重試Retry
步驟四:下載儲存證書PEM檔案Step 4: Download and save the certificate PEM file
必須儲存此檔案,請點擊下載按鈕下載,或者將證書文本內容複製儲存為檔案(PEM純文本格式);檔案名後綴可改成 .crt 或 .cer,這樣在Windows中能直接雙擊開啟查看。本PEM格式檔案已包含你的域名證書、和完整證書鏈,文本中第一個CERTIFICATE為你的域名證書,後面的為證書頒發機構的中間證書和根證書,如過有需要你可以自行拆分成多個.pem檔案。This file must be saved, please click the download button to download, or copy the text content of the certificate and save it as file (PEM plain text format); the file name suffix can be changed to .crt or .cer , so that it can be directly double-clicked to open and view in Windows. This PEM format file already contains your domain name certificate and complete certificate chain. The first CERTIFICATE in the text is your domain name certificate, followed by the intermediate certificate and root certificate of the certificate authority, if necessary, you can split it into multiple .pem files.
下載儲存Download
*儲存證書私鑰KEY檔案:Save the certificate private key KEY file:
請點擊下載按鈕下載,或者將私鑰文本內容複製儲存為檔案(PEM純文本格式,.key後綴可自行修改成.pem)。如果第二步操作中你手動填寫了證書私鑰,此處的證書私鑰和你填寫的是完全一樣的,可以不需要重複儲存;如果你是新創建的證書私鑰,則你必須下載儲存此證書私鑰檔案。Please click the download button to download, or copy and save the text content of the private key as file (PEM plain text format, the .key suffix can be modified to .pem by yourself). If you manually filled in the certificate private key in the step 2, the certificate private key here is exactly the same as what you filled in, and you don’t need to save it repeatedly; if you are a newly created certificate private key, you must download and save it This certificate private key file.
下載儲存Download
*儲存記錄LOG檔案:Save the record LOG file:
建議下載儲存此檔案,本記錄檔案包含了所有資料,包括:證書PEM文本、證書私鑰PEM文本、帳號私鑰PEM文本、所有設定參數。下次你需要續簽新證書時,可以將本記錄檔案直接拖拽進本頁面,會自動填寫所有參數。It is recommended to download and save this file. This record file contains all data, including: certificate PEM text, certificate private key PEM text, account private key PEM text, and all configuration parameters. Next time you need to renew a new certificate, you can drag and drop the record file directly into this page, and all parameters will be filled in automatically.
下載儲存Download
你需要其他格式的證書檔案?Do you need certificate files in other formats?
大部分伺服器程序支援直接使用 + 來設定開啟HTTPS(比如Nginx),如果你需要 *.pfx、*.p12 格式的證書(比如用於IIS),請用下面指令將PEM證書轉換成 pfx/p12 格式:Most server programs support directly using + to configure and enable HTTPS (such as Nginx). If you need a certificate in *.pfx or *.p12 format (such as for IIS), please use the following command to convert the PEM certificate Convert to pfx/p12 format:
openssl pkcs12 -export -out .pfx -inkey -in
IIS證書鏈缺失?IIS certificate chain missing?
對於Windows IIS伺服器,你需要將證書鏈安裝到“本地電腦”的“中間證書頒發機構”中;請將PEM證書中的所有證書拆分成單個PEM檔案(後綴改成.crt或.cer),然後將系統中缺失的中間證書雙擊開啟然後安裝進去;詳細參考:For Windows IIS server, you need to install the certificate chain into "Intermediate Certification Authorities" in "Local Computer"; please split all certificates in PEM certificate into a single PEM file (change the suffix to .crt or .cer), then double-click to open the missing intermediate certificate in the system Then install it; detailed reference:http://support.microsoft.com/kb/954755
本使用者端部分原理簡介Introduction to the principle of this client
得益於現代瀏覽器的 crypto.subtle 對加密功能標準化,不依賴其他任何js庫就能在網頁上實現 RSA、ECC 的加密、解密、簽名、驗證、和金鑰對生成。在本使用者端內的 X509 對象中:用 X509.CreateCSR 來生成CSR,用 X509.KeyGenerate 來創建PEM格式金鑰,用 X509.KeyParse 來解析PEM格式金鑰,用 X509.KeyExport 來匯出PEM格式金鑰;這些功能都是根據相應的標準用js代碼在二進位制層面上實現的,二進位制資料操作封裝在了 ASN1 對象中:實現了 ASN.1 標準的二進位制解析和封包,使用 ASN1.ParsePEM 方法可以解析任意的PEM格式金鑰或證書。以上這些都是實現ACME網頁使用者端的核心基礎。Thanks to the standardization of encryption functions by crypto.subtle of modern browsers, RSA and ECC encryption, decryption, signature, verification, and key pair generation can be implemented on web pages without relying on any other js library. In the X509 object in this client: use X509.CreateCSR to generate CSR, use X509.KeyGenerate to create PEM format key, use X509.KeyParse to parse PEM format key, use X509.KeyExport to export PEM format key; These functions are implemented at the binary level with js code according to the corresponding standards, and binary data operations are encapsulated in ASN1 objects: ASN.1 standard binary parsing and encapsulation are implemented, Arbitrary PEM format keys or certificates can be parsed using the ASN1.ParsePEM method. These are the core foundations for implementing the ACME web client.
然後就是對接ACME實現證書的簽發,和實現互動UI;對接ACME可以直接參考 RFC 8555 標準。有些證書頒發機構的ACME服務對瀏覽器支援不良,未提供齊全的 Access-Control-* 響應頭,導致網頁內無法直接調用服務介面;目前採用的解決辦法非常簡單粗暴,比如ZeroSSL:檢測到此ACME服務存在跨域問題時,會調用 acmeReadDirGotoCORS() 方法告訴使用者操作步驟(你可以點此手動調用此方法),透過在他們的頁面內執行本使用者端來消除跨域問題(既然打不過,那就加入他們)。Then it is to connect with ACME to realize certificate issuance and realize interactive UI; for connecting with ACME, you can directly refer to the RFC 8555 standard. The ACME services of some certificate authorities do not support browsers well, and do not provide complete Access-Control-* response headers, so that the service interface cannot be called directly in the web page; the current solution is very simple and rude, such as ZeroSSL: detect this ACME When there is a cross-domain problem with the service, the acmeReadDirGotoCORS() method will be called to tell the user the operation steps (you can call this method manually by clicking here), and the cross-domain problem will be eliminated by running this client in their page (if we can't beat them, we'd better join them).
QQ群:交流與支援QQ group: communication and support
歡迎加QQ群:421882406,純小寫口令:xiangyuecn。如需功能訂製,網站、App、小程序、前端和後端等開發需求,請加此QQ群,聯繫群主(即作者),謝謝~Welcome to join the QQ group: 421882406 , code: xiangyuecn . If you need function customization, website, app, applet, front-end and back-end development needs, please join this QQ group and contact the group owner (ie the author), thank you~
The Chinese-English translation is mainly from: Chrome comes with translation + Baidu translation, which is translated from Chinese to English.