生成或填写的私钥仅用于ACME接口签名,支持RSA(2048位+)、ECC(曲线)私钥;注意:证书私钥的类型决定了申请到的证书是RSA证书还是ECC(ECDSA)证书,RSA类型适用性更广也更常见;本客户端不会对此私钥进行保存或发送给其他任何人;证书签发后在部署到服务器时,需使用到此私钥;建议每次申请证书时均生成新的证书私钥。The generated or filled private key is only used for ACME interface signature, and supports RSA (2048-bit+) and ECC ( curve)
private keys; Note: The type of certificate private key determines whether the applied certificate is an RSA certificate or a ECC(ECDSA) certificate, RSA type is more widely applicable and more common; this client will not save or send this private key to anyone else; this private key needs to be used when deploying to the server after the certificate is issued; it is recommended to generate a new certificate private
key every time you apply for a certificate.
*ACME账户的私钥:Private key of ACME account:
生成或填写的私钥仅用于ACME接口签名,支持RSA(2048位+)、ECC(曲线)私钥;账户私钥类型对证书无影响;本客户端不会对此私钥进行保存或发送给其他任何人;一个私钥相当于一个账户,可用于吊销已签发的证书;建议每次申请证书时使用相同的一个私钥(这样短期内多次申请证书时,验证域名所有权的参数极有可能会保持相同),不过每次都生成一个新的私钥大部分情况下也不会有问题。The generated or filled private key is only used for ACME interface signature, and supports RSA (2048-bit+) and ECC ( curve)
private keys; the account private key type has no effect on the certificate; this client will not save or send this private key to anyone else; A private key is equivalent to an account and can be used to revoke an issued certificate; it is recommended
to use the same private key every time you apply for a certificate (in this way, the parameters used to verify the domain name ownership are likely to remain identical when multiple certificate applications are made in
a short period of time); However, generating a new private key every time will not be a problem in most cases.
*ACME账户的联系邮箱:Contact email of ACME account:
此邮箱地址用于证书颁发机构给你发送邮件,比如:证书过期前的续期通知提醒。This email address is used by the certificate authority to send you emails, such as a reminder of renewal notice before the certificate expires.
EAB凭据:
当前ACME服务要求提供外部账号绑定凭据(External Account Binding),比如ZeroSSL:你可以在ZeroSSL的管理控制台的 Developer 中获得此凭据,所以你需要先注册一个ZeroSSL的账号。The current ACME service requires external account binding credentials, such as ZeroSSL: You can obtain this credentials in the Developer of the ZeroSSL management console, so you need to register a ZeroSSL account first.
请给每个域名选择一个你合适的验证方式(推荐采用DNS验证,比较简单和通用),然后根据显示的提示完成对应的配置操作。Please select a suitable verification method for each domain name (DNS Verify is recommended, which is relatively simple and common), and then complete the corresponding configuration operations according to the displayed prompts.
请每个域名选择好对应的验证方式,根据显示的提示进行对应的配置操作;必须所有域名配置完成后,再来点击下面的“开始验证”按钮进行验证,如果验证失败,需要返回第二步重新开始操作。Please select the corresponding verify method for each domain name, and perform the corresponding configuration operation according to the displayed prompts; after all domain names are configured, click the "Start Verify" button below to verify, if the verify fails, you need to go back to the step 2 Start the operation.
必须保存此文件,请点击下载按钮下载,或者将证书文本内容复制保存为文件(PEM纯文本格式);文件名后缀可改成 .crt 或 .cer,这样在Windows中能直接双击打开查看。本PEM格式文件已包含你的域名证书、和完整证书链,文本中第一个CERTIFICATE为你的域名证书,后面的为证书颁发机构的中间证书和根证书,如过有需要你可以自行拆分成多个.pem文件。This file must be saved, please click the download button to download, or copy the text content of the certificate and save it as file (PEM plain text format); the file name suffix can be changed to .crt or .cer , so that it can be directly double-clicked to open and view in Windows. This PEM format file already
contains your domain name certificate and complete certificate chain. The first CERTIFICATE in the text is your domain name certificate, followed by the intermediate certificate and root certificate of the certificate authority,
if necessary, you can split it into multiple .pem files.
下载保存Download
*保存证书私钥KEY文件:Save the certificate private key KEY file:
请点击下载按钮下载,或者将私钥文本内容复制保存为文件(PEM纯文本格式,.key后缀可自行修改成.pem)。如果第二步操作中你手动填写了证书私钥,此处的证书私钥和你填写的是完全一样的,可以不需要重复保存;如果你是新创建的证书私钥,则你必须下载保存此证书私钥文件。Please click the download button to download, or copy and save the text content of the private key as file (PEM plain text format, the .key suffix can be modified to .pem by yourself). If you manually filled in the certificate private key in the step 2, the certificate private key here is exactly the same as what you filled in, and you don’t need to save it repeatedly; if you are a newly created certificate private key, you must download and save it This certificate private key file.
下载保存Download
*保存记录LOG文件:Save the record LOG file:
建议下载保存此文件,本记录文件包含了所有数据,包括:证书PEM文本、证书私钥PEM文本、账户私钥PEM文本、所有配置参数。下次你需要续签新证书时,可以将本记录文件直接拖拽进本页面,会自动填写所有参数。It is recommended to download and save this file. This record file contains all data, including: certificate PEM text, certificate private key PEM text, account private key PEM text, and all configuration parameters. Next time you need to renew a new certificate, you can drag and drop the record file directly into this page, and all parameters will be filled in automatically.
下载保存Download
你需要其他格式的证书文件?Do you need certificate files in other formats?
大部分服务器程序支持直接使用 + 来配置开启HTTPS(比如Nginx),如果你需要 *.pfx、*.p12 格式的证书(比如用于IIS),请用下面命令将PEM证书转换成 pfx/p12 格式:Most server programs support directly using + to configure and enable HTTPS (such as Nginx). If you need a certificate in *.pfx or *.p12 format (such as for IIS), please use the following command to convert the PEM certificate Convert to pfx/p12 format:
openssl pkcs12 -export -out .pfx -inkey -in
IIS证书链缺失?IIS certificate chain missing?
对于Windows IIS服务器,你需要将证书链安装到“本地计算机”的“中间证书颁发机构”中;请将PEM证书中的所有证书拆分成单个PEM文件(后缀改成.crt或.cer),然后将系统中缺失的中间证书双击打开然后安装进去; 详细请参考:For Windows IIS server, you need to install the certificate chain into "Intermediate Certification Authorities" in "Local Computer"; please split all certificates in PEM certificate into a single PEM file (change the suffix to .crt or .cer), then double-click to open the missing intermediate certificate in the system Then install it; detailed reference:http://support.microsoft.com/kb/954755