When securing a website with an SSL/TLS certificate, domain validation is a critical step to prove ownership or control over the domain. One of the most secure and automation-friendly methods for this is DNS-based domain validation. This method involves creating specific DNS records that a Certificate Authority (CA) can query to verify domain ownership.
This article provides a step-by-step guide on how to perform DNS-based domain validation using win-acme, a popular open-source ACME client, along with bothWebnames.ca DNS Hosting services and Enterprise API. Whether you're setting up a new certificate or renewing an existing one, this guide will help you configure DNS validation efficiently and securely using win-acme's built-in tools and scripting capabilities.
Prerequisites
You will need:
A server with win-acme installed. (The recent simple-acme fork should also be drop-in compatible, and may in fact be the more supported tool in the future.)
A copy of the Webnames DNS validation plug-in PowerShell script from the simple-acme repository at https://github.com/simple-acme/reference-scripts/blob/main/Validation/Webnames.ps1
Webnames DNS Hosting on the root of the domain where you wish to provision the certificate. E.g. for the certificate CN sub.example.ca, you would need Webnames DNS hosting on example.ca.
A Webnames account with the Domain and Account Management Toolkit enabled.
An API username and key via created via the Manage Users page.
It is recommended to store the API key in the simple-acme secret vault and pass it as a replaced argument, e.g. {vault://json/WebnamesAPIKey}. It is also recommended to store the key surrounded with double-quotes and escaped inline with backticks before any non-alphanumeric characters, to allow win-acme to substitute it without problems. E.g. the key odsifj30$49j4ggg_340fqivm9j should be stored in the secret vault as "odsifj30`$49j4ggg_340fqivm9j".
Command-line
The following example PowerShell command should kick off an SSL provisioning and DNS validation:
& .\wacs.exe --accepttos `
--target manual `
--host sub.example.ca `
--validationmode dns-01 `
--validation script `
--dnsscript ".\Webnames.ps1" `
--dnscreatescriptarguments '-Action create -ZoneName {ZoneName} -RecordName {RecordName} -Token {Token} -APIUsername <Your API Username> -APIKey {vault://json/WebnamesAPIKey} --dnsdeletescriptarguments '-Action delete -ZoneName {ZoneName} -RecordName {RecordName} -Token {Token} -APIUsername <Your API Username> -APIKey {vault://json/WebnamesAPIKey}'
Further reading
Webnames OpenAPI specs and test harness: https://www.webnames.ca/_/swagger/index.html
Simple-acme DNS script plugin docs: https://www.win-acme.com/reference/plugins/validation/dns/script