Skip to main content

Installation

Certeasy runs as a single binary. It targets Windows Server (to run close to your ADCS), but can also run on Linux for test environments.

Requirements

RequirementDetail
OSWindows Server 2016+ (production), Linux (dev/test)
ADCSActive Directory Certificate Services, accessible from the Certeasy host
certreq.exeAvailable on Windows, used to submit CSRs to ADCS
NetworkCerteasy must be reachable by ACME clients (HTTPS, port 443 or custom)
DatabaseSQLite (default, no setup), PostgreSQL, or SQL Server
Deployment topology

Certeasy is supported as a single-instance deployment, or as cold Active / Passive with manual switchover (PostgreSQL or SQL Server required, no SQLite). Running two Certeasy instances concurrently against the same database is not supported and produces silent failure modes (badNonce errors, drifting rate limits, etc.). See Deployment topology before deploying.

Download

Download the latest release from the releases page.

Each release ships three binaries — certeasy-<version>-linux-amd64, certeasy-<version>-darwin-arm64, and certeasy-<version>-windows-amd64.exe. The Windows binary is a single executable, no installer or runtime dependencies.

Verify your download

Each release ships a SHA256SUMS file. Verify the integrity of the binary before running it — see Verifying release binaries.

Directory Layout

Certeasy uses a work directory for runtime files (SQLite database, TLS cache, logs). The default locations are:

  • Windows: %ProgramData%\certeasy
  • Linux: /var/lib/certeasy

Create the directory and make sure Certeasy's service account has write access.

# Windows
New-Item -ItemType Directory -Path "C:\ProgramData\certeasy"
# Linux
mkdir -p /var/lib/certeasy

Running as a Windows Service

The recommended production setup is to run Certeasy as a Windows service using sc.exe or NSSM:

# Using sc.exe
sc.exe create Certeasy binPath= "C:\certeasy\certeasy.exe -f C:\certeasy\config.yml" start= auto
sc.exe description Certeasy "ACME server for internal ADCS"
sc.exe start Certeasy

The service account must have:

  • Write access to the work directory
  • Access to certreq.exe (usually C:\Windows\System32\certreq.exe)
  • Network access to the ADCS host

Running on Linux

go run cmd/main.go -f config.yml
# or
./certeasy -f config.yml
info

The Linux binary cannot submit to ADCS (no certreq.exe). Use the fake PKI authority for local testing on Linux.

Next Step

Once the binary is in place, configure Certeasy.