Installation
Certeasy runs as a single binary. It targets Windows Server (to run close to your ADCS), but can also run on Linux for test environments.
Requirements
| Requirement | Detail |
|---|---|
| OS | Windows Server 2016+ (production), Linux (dev/test) |
| ADCS | Active Directory Certificate Services, accessible from the Certeasy host |
| certreq.exe | Available on Windows, used to submit CSRs to ADCS |
| Network | Certeasy must be reachable by ACME clients (HTTPS, port 443 or custom) |
| Database | SQLite (default, no setup), PostgreSQL, or SQL Server |
Certeasy is supported as a single-instance deployment, or as cold Active / Passive with manual switchover (PostgreSQL or SQL Server required, no SQLite). Running two Certeasy instances concurrently against the same database is not supported and produces silent failure modes (badNonce errors, drifting rate limits, etc.). See Deployment topology before deploying.
Download
Download the latest release from the releases page.
Each release ships three binaries — certeasy-<version>-linux-amd64, certeasy-<version>-darwin-arm64, and certeasy-<version>-windows-amd64.exe. The Windows binary is a single executable, no installer or runtime dependencies.
Each release ships a SHA256SUMS file. Verify the integrity of the binary before running it — see Verifying release binaries.
Directory Layout
Certeasy uses a work directory for runtime files (SQLite database, TLS cache, logs). The default locations are:
- Windows:
%ProgramData%\certeasy - Linux:
/var/lib/certeasy
Create the directory and make sure Certeasy's service account has write access.
# Windows
New-Item -ItemType Directory -Path "C:\ProgramData\certeasy"
# Linux
mkdir -p /var/lib/certeasy
Running as a Windows Service
The recommended production setup is to run Certeasy as a Windows service using sc.exe or NSSM:
# Using sc.exe
sc.exe create Certeasy binPath= "C:\certeasy\certeasy.exe -f C:\certeasy\config.yml" start= auto
sc.exe description Certeasy "ACME server for internal ADCS"
sc.exe start Certeasy
The service account must have:
- Write access to the work directory
- Access to
certreq.exe(usuallyC:\Windows\System32\certreq.exe) - Network access to the ADCS host
Running on Linux
go run cmd/main.go -f config.yml
# or
./certeasy -f config.yml
The Linux binary cannot submit to ADCS (no certreq.exe). Use the fake PKI authority for local testing on Linux.
Next Step
Once the binary is in place, configure Certeasy.