V3.0.3

New feature

You can run ACMEServer.ADCS.exe --test-issuance to issue and revoke a certificate. This is a helpful tool in troubleshooting the configuration. See the logs of the ADCS, should the certificate issuance or revokation fail.

V3.0.2

Fixes #97

Caution

If you configured AllowedDNSNames or AllowedIPNetworks for identifier validation in a profile, this bug might affect the system security for you. Please update!

V3.0.1

New in 3.0.1

Run ACMEServer.ADCS.exe --config-tool to use the new config wizard. It'll help you set up the server and profiles.
Future versions will expand and smoothen the tool, since it may still have some rough edges.

Bug fixes

• Logging created an json object per line, but appended an ,. The , is now gone, so each line of the log is valid json.
• Certificate export separated certificates with \r\n which might lead to errors with Proxmox.

V3.0.0

Refer to the quickstart guide linked from the README to get everything up and running.
If you currently run 2.1, you need to adjust your configuration.

Features

• ACME (RFC 8555) compliant server for certificate issuance (the protocol, that drives Let's Encrypt)
• Certificate issuance via Microsoft® Windows® Server Active Directory Certificate Services (MS ADCS)
• Challenge types: http-01, dns-01, tls-alpn-01, device-attest-01
• ExternalAccountBinding (EAB) support
• Identifier types:
  • dns (RFC 8555): e.g. www.example.com - as known from ACME
  • ip (RFC 8738): e.g. 127.0.0.1 - for devices that don't use names.
  • permanent-identifier (experimental) : to issue client certificates for devices (Apple devices only, currently). Please contact me, if you use this, I would like to know, if your use-case works.
• Issuance profiles: depending on identifier type and EAB status the server can now choose issuance profiles, allowing the use of different templates (or ADCS servers) for different use cases.
• Reverse Proxy support: ACDS-ACME can now be run behind a reverse proxy that doesn't pass on the external host name.
• CSR validation now take parameters, that allow to go astray from ACME protocol. Be very careful with this feature.

Bug fixes

• ExternalAccountBinding requirement will now be communicated via metadata

Breaking changes

• Changed file logging package

• Configuration files have been rearranged and extended. There's only one appsettings.json now. Refer to the sample file for a proper description.

• If you build something based of the code of V1 or V2, there will be a lot of changes, since everything is now based on AspNetCore Minimal API instead of MVC.

V3.0.0 - RC2

Release Candidate 2

Feel free to use this in production - send all errors my way.
The software now targets both net8 and net10, please choose your version during download. Be aware, that NET10 itself is still a release candidate with "go live permission".

Refer to the quickstart guide linked from the README to get everything up and running.

If you currently run 2.1, you need to adjust your configuration.

Features

• ACME (RFC 8555) compliant server for certificate issuance (the protocol, that drives Let's Encrypt)
• Certificate issuance via Microsoft® Windows® Server Active Directory Certificate Services (MS ADCS)
• Challenge types: http-01, dns-01, tls-alpn-01, device-attest-01
• ExternalAccountBinding (EAB) support
• Identifier types:
  • dns (RFC 8555): e.g. www.example.com - as known from ACME
  • ip (RFC 8738): e.g. 127.0.0.1 - for devices that don't use names.
  • permanent-identifier (experimental) : to issue client certificates for devices (Apple devices only, currently). Please contact me, if you use this, I would like to know, if your use-case works.
• Issuance profiles: depending on identifier type and EAB status the server can now choose issuance profiles, allowing the use of different templates (or ADCS servers) for different use cases.
• Reverse Proxy support: ACDS-ACME can now be run behind a reverse proxy that doesn't pass on the external host name.
• CSR validation now take parameters, that allow to go astray from ACME protocol. Be very careful with this feature.

Bug fixes

• ExternalAccountBinding requirement will now be communicated via metadata

Breaking changes

• Changed file logging package

• Configuration files have been rearranged and extended. There's only one appsettings.json now. Refer to the sample file for a proper description.

• If you build something based of the code of V1 or V2, there will be a lot of changes, since everything is now based on AspNetCore Minimal API instead of MVC.

V3.0.0 - Release Candidate

Release Candidate

Feel free to use this in production - send all errors my way.
The software now targets both net8 and net10, please choose your version during download. Be aware, that NET10 itself is still a release candidate with "go live permission".

Refer to the quickstart guide linked from the README to get everything up and running.

If you currently run 2.1, you need to adjust your configuration.

Features

• ACME (RFC 8555) compliant server for certificate issuance (the protocol, that drives Let's Encrypt)
• Certificate issuance via Microsoft® Windows® Server Active Directory Certificate Services (MS ADCS)
• Challenge types: http-01, dns-01, tls-alpn-01, device-attest-01
• ExternalAccountBinding (EAB) support
• Identifier types:
  • dns (RFC 8555): e.g. www.example.com - as known from ACME
  • ip (RFC 8738): e.g. 127.0.0.1 - for devices that don't use names.
  • permanent-identifier (experimental) : to issue client certificates for devices (Apple devices only, currently). Please contact me, if you use this, I would like to know, if your use-case works.
• Issuance profiles: depending on identifier type and EAB status the server can now choose issuance profiles, allowing the use of different templates (or ADCS servers) for different use cases.
• Reverse Proxy support: ACDS-ACME can now be run behind a reverse proxy that doesn't pass on the external host name.
• CSR validation now take parameters, that allow to go astray from ACME protocol. Be very careful with this feature.

Bug fixes

• ExternalAccountBinding requirement will now be communicated via metadata

Breaking changes

• Changed file logging package

• Configuration files have been rearranged and extended. There's only one appsettings.json now. Refer to the sample file for a proper description.

• If you build something based of the code of V1 or V2, there will be a lot of changes, since everything is now based on AspNetCore Minimal API instead of MVC.

V2.1.5

Since the 'main' branch is always the current version, please use this link to see the matching README

V2.1.5

• Order Expiry will now have a RFC 8555 conforming value (could lead to a warning in Posh-ACME)

V2.1.4

• Wildcard identifiers will now create RFC8555 conforming authorizations (could lead to an error in WACS)

V2.1.3

• Accounts can now be read by sending an request containing an empty payload to it's url - formerly this was only possible with an payload containing an empty object. This affected Apaches mod_md.

V2.1.2

• ExternalAccountBinding status will show up in logs
• EAB will be a little bit more verbose with log outputs
• Settings are validated on start instead on usage

V2.1.1

• ExternalAccountBinding requirement will now be announced via metadata.

What's Changed (V2.1.0)

• Authorization Validation and Certificate Issuance, will now be triggered instantaneously instead of timer based.
• ExternalAccountBinding is now supported, when configured

V3.0.0 - Beta5

Features

• ACME (RFC 8555) compliant server for certificate issuance (the protocol, that drives Let's Encrypt)
• Certificate issuance via Microsoft® Windows® Server Active Directory Certificate Services (MS ADCS)
• Challenge types: http-01, dns-01, tls-alpn-01, device-attest-01
• ExternalAccountBinding (EAB) support
• Identifier types:
  • dns (RFC 8555): e.g. www.example.com - as known from ACME
  • ip (RFC 8738): e.g. 127.0.0.1 - for devices that don't use names.
  • permanent-identifier (experimental) : to issue client certificates for devices (Apple devices only, currently). Please contact me, if you use this, I would like to know, if your use-case works.
• Issuance profiles: depending on identifier type and EAB status the server can now choose issuance profiles, allowing the use of different templates (or ADCS servers) for different use cases.
• Reverse Proxy support: ACDS-ACME can now be run behind a reverse proxy that doesn't pass on the external host name.
• CSR validation now take parameters, that allow to go astray from ACME protocol. Be very careful with this feature.

Bug fixes

• ExternalAccountBinding requirement will now be communicated via metadata

Breaking changes

• Changed file logging package

• Configuration files have been rearranged and extended. There's only one appsettings.json now. Refer to the sample file for a proper description.

• If you build something based of the code of V1 or V2, there will be a lot of changes, since everything is now based on AspNetCore Minimal API instead of MVC.

Configuration changes from beta1

"Profiles": {
  "MyProfile": {
    "CSRValidation": {
-      "AllowedSANValue": {
-        "DNSNameRegex": null,
-        "IPNetworks": [],
-        "URIRegex": null
-      }
+      "SANValidationParameters": {
+        "DnsName": {
+          "ValidationRegex": null
+        },
+        "IPAdress": {
+          "ValidNetworks": []
+        },
+        "URI": {
+          "ValidationRegex": null
+        }
+      }

For a full reference of the CSR validation, refer to the SANValidationParameters in appsettings-sample.json

V2.0.2

Improvements

• TLS-ALPN-01 is now supported as challenge

Breaking changes

If you have made developments based on this software, or the source code, there's been:

• Renaming all namespaces from TGIT -> Th11s
• Reduced the number of projects

V1.9.0

V1.9.0

• Multi targeting .net8 and .net6 (the next version won't support .net6 anymore)

• Proper CSR validation logic regarding Subject and SAN

• Testsuite for CSR validation

• AllowEmptyCN and AllowCNSuffix are now removed and will not be considered anymore