这一次是使用 SSL.com TLS Issuing ECC CA R2 签发的 SSL 证书!
前因
得益于几个月前成功使用 ZeroSSL ECC Domain Secure Site CA 签发 SSL 证书的经验,本次的使用 SSL.com TLS Issuing ECC CA R2 进行签发反倒是轻松不少。
后果
申请步骤
- 安装 acme.sh 脚本
curl https://get.acme.sh | sh -s email=admin@xxx
admin@xxx:邮箱地址,这里我使用的邮箱与在SSL.com上的账号相同,如果需要在多个CA中都申请域名证书或许都会用一个邮箱吧。输出:
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1032 0 1032 0 0 3470 0 --:--:-- --:--:-- --:--:-- 3474 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 221k 100 221k 0 0 1412k 0 --:--:-- --:--:-- --:--:-- 1420k [Fri Jul 4 01:53:35 EDT 2025] Installing from online archive. [Fri Jul 4 01:53:35 EDT 2025] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Fri Jul 4 01:53:36 EDT 2025] Extracting master.tar.gz [Fri Jul 4 01:53:36 EDT 2025] Installing to /root/.acme.sh [Fri Jul 4 01:53:36 EDT 2025] Installed to /root/.acme.sh/acme.sh [Fri Jul 4 01:53:36 EDT 2025] Installing alias to '/root/.bashrc' [Fri Jul 4 01:53:36 EDT 2025] Close and reopen your terminal to start using acme.sh [Fri Jul 4 01:53:36 EDT 2025] Installing alias to '/root/.cshrc' [Fri Jul 4 01:53:36 EDT 2025] Installing alias to '/root/.tcshrc' [Fri Jul 4 01:53:36 EDT 2025] Installing cron job no crontab for root no crontab for root [Fri Jul 4 01:53:36 EDT 2025] bash has been found. Changing the shebang to use bash as preferred. [Fri Jul 4 01:53:37 EDT 2025] OK [Fri Jul 4 01:53:37 EDT 2025] Install success! - 在 SSL.com 中注册
/root/.acme.sh/acme.sh --register-account --server sslcom
输出:
[Sat Sep 27 15:31:35 EDT 2025] Registering account: https://acme.ssl.com/sslcom-dv-ecc [Sat Sep 27 15:31:36 EDT 2025] Account registration error: {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Please check your inbox at admin@xxx for ACME instructions. Visit https://secure.ssl.com/billing_profiles to add your billing information. If you need assistance, please contact support@ssl.com"}登陆对应的邮箱获取
--eab-hmac-key、--eab-kid两个参数,对应进去重新执行以下命令进行注册:/root/.acme.sh/acme.sh --register-account --server sslcom --eab-hmac-key ****** --eab-kid ***
输出:
[Sat Sep 27 15:36:57 EDT 2025] Registering account: https://acme.ssl.com/sslcom-dv-ecc [Sat Sep 27 15:36:59 EDT 2025] Registered [Sat Sep 27 15:36:59 EDT 2025] ACCOUNT_THUMBPRINT='******'
- 申请证书
/root/.acme.sh/acme.sh --server sslcom --keylength ec-384 --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --issue -d www.cyzwb.com -d cyzwb.com
--keylength:需要申请ECC证书则使用该参数.
--yes-I-know-dns-manual-mode-enough-go-ahead-please:手动添加TXT解析记录。
-d:后面就是要申请证书的域名。输出:
[Sat Sep 27 15:37:22 EDT 2025] Using CA: https://acme.ssl.com/sslcom-dv-ecc [Sat Sep 27 15:37:22 EDT 2025] Multi domain='DNS:www.cyzwb.com,DNS:cyzwb.com' [Sat Sep 27 15:37:27 EDT 2025] Getting webroot for domain='www.cyzwb.com' [Sat Sep 27 15:37:27 EDT 2025] Getting webroot for domain='cyzwb.com' [Sat Sep 27 15:37:27 EDT 2025] Add the following TXT record: [Sat Sep 27 15:37:27 EDT 2025] Domain: '_acme-challenge.www.cyzwb.com' [Sat Sep 27 15:37:27 EDT 2025] TXT value: 'so0gPffVzhKs1pDa5mGYu6_rnixh_Vclfx04M64jebU' [Sat Sep 27 15:37:27 EDT 2025] Please make sure to prepend '_acme-challenge.' to your domain [Sat Sep 27 15:37:27 EDT 2025] so that the resulting subdomain is: _acme-challenge.www.cyzwb.com [Sat Sep 27 15:37:27 EDT 2025] Add the following TXT record: [Sat Sep 27 15:37:27 EDT 2025] Domain: '_acme-challenge.cyzwb.com' [Sat Sep 27 15:37:27 EDT 2025] TXT value: 'f6xnfFhCwg1_Oo1hmY2ldcOxU_Sqss-F59JOPF1lRVQ' [Sat Sep 27 15:37:27 EDT 2025] Please make sure to prepend '_acme-challenge.' to your domain [Sat Sep 27 15:37:27 EDT 2025] so that the resulting subdomain is: _acme-challenge.cyzwb.com [Sat Sep 27 15:37:27 EDT 2025] Please add the TXT records to the domains, and re-run with --renew. [Sat Sep 27 15:37:27 EDT 2025] Please add '--debug' or '--log' to see more information. [Sat Sep 27 15:37:27 EDT 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
手动去添加/修改对应的解析记录。
- 验证 TXT 解析
/root/.acme.sh/acme.sh --server sslcom --keylength ec-384 --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --issue -d www.cyzwb.com -d cyzwb.com --renew
--renew:验证对应的TXT记录是否已经生效。输出:
[Sat Sep 27 15:42:12 EDT 2025] The domain 'www.cyzwb.com' seems to already have an ECC cert, let's use it. [Sat Sep 27 15:42:12 EDT 2025] Renewing: 'www.cyzwb.com' [Sat Sep 27 15:42:12 EDT 2025] Renewing using Le_API=https://acme.ssl.com/sslcom-dv-ecc [Sat Sep 27 15:42:13 EDT 2025] Using CA: https://acme.ssl.com/sslcom-dv-ecc [Sat Sep 27 15:42:13 EDT 2025] Multi domain='DNS:www.cyzwb.com,DNS:cyzwb.com' [Sat Sep 27 15:42:13 EDT 2025] Verifying: www.cyzwb.com [Sat Sep 27 15:42:15 EDT 2025] Success [Sat Sep 27 15:42:15 EDT 2025] Verifying: cyzwb.com [Sat Sep 27 15:42:16 EDT 2025] Success [Sat Sep 27 15:42:16 EDT 2025] Verification finished, beginning signing. [Sat Sep 27 15:42:16 EDT 2025] Let's finalize the order. [Sat Sep 27 15:42:16 EDT 2025] Le_OrderFinalize='https://acme.ssl.com/ejbca/acme/sslcom-dv-ecc/acct/********/orders/********/finalize' [Sat Sep 27 15:42:24 EDT 2025] Downloading cert. [Sat Sep 27 15:42:24 EDT 2025] Le_LinkCert='https://acme.ssl.com/ejbca/acme/sslcom-dv-ecc/cert/********' [Sat Sep 27 15:42:28 EDT 2025] Cert success. -----BEGIN CERTIFICATE----- ************************************ ************************************ ************************************ ************************************ -----END CERTIFICATE----- [Sat Sep 27 15:42:28 EDT 2025] Your cert is in: /root/.acme.sh/www.cyzwb.com_ecc/www.cyzwb.com.cer [Sat Sep 27 15:42:28 EDT 2025] Your cert key is in: /root/.acme.sh/www.cyzwb.com_ecc/www.cyzwb.com.key [Sat Sep 27 15:42:28 EDT 2025] The intermediate CA cert is in: /root/.acme.sh/www.cyzwb.com_ecc/ca.cer [Sat Sep 27 15:42:28 EDT 2025] And the full-chain cert is in: /root/.acme.sh/www.cyzwb.com_ecc/fullchain.cer
就此成功下发由 SSL.com TLS Issuing ECC CA R2 签发的域名证书!
题外话
算是首次使用 SSL.com 的免费域名证书,当前还不知道其是否能不限次数的申请。
其中第一印象就是,看着中间 CA 的证书链层级数量,不由得觉得层级也太多了吧!在实际使用中发现有些设备可以“简单的”三层证书链,有些设备就需要“复杂的”证书链。
在 Windows 10 系统下 EdgeHTML 版本的 Edge 四层证书链,使用 AAA Certificate Services 做根证书,在 Windows 2019 的 Chrome 浏览器使用 SSL.com TLS ECC Root CA 2022 的根证书。同理在 Android ≥ 11 的 Edge 浏览器也是使用 SSL.com TLS ECC Root CA 2022 的根证书,而在 Android = 12 的 Edge 浏览器中却是使用 AAA Certificate Services 的根证书。
ChiuYut
2025年09月28日