diff --git a/packages/core/acme-client/src/auto.js b/packages/core/acme-client/src/auto.js
index ed59fba1b..749f7a932 100644
--- a/packages/core/acme-client/src/auto.js
+++ b/packages/core/acme-client/src/auto.js
@@ -255,9 +255,8 @@ module.exports = async (client, userOpts) => {
         return await client.getCertificate(finalized, opts.preferredChain);
     }
     catch (e) {
-        log('证书申请失败');
-        log(e);
-        throw new Error(`证书申请失败:${e.message}`);
+        log(`证书申请失败${e.message}`);
+        throw e;
     }
     finally {
         log(`清理challenge痕迹，length:${clearTasks.length}`);
diff --git a/packages/core/acme-client/src/crypto/index.js b/packages/core/acme-client/src/crypto/index.js
index f0c3c367e..53599f5d9 100644
--- a/packages/core/acme-client/src/crypto/index.js
+++ b/packages/core/acme-client/src/crypto/index.js
@@ -290,7 +290,6 @@ exports.readCsrDomains = (csrPem) => {
     if (Buffer.isBuffer(csrPem)) {
         csrPem = csrPem.toString();
     }
-
     const dec = x509.PemConverter.decodeFirst(csrPem);
     const csr = new x509.Pkcs10CertificateRequest(dec);
     return parseDomains(csr);
diff --git a/packages/core/pipeline/src/access/api.ts b/packages/core/pipeline/src/access/api.ts
index 2540bcbaa..5343b30d7 100644
--- a/packages/core/pipeline/src/access/api.ts
+++ b/packages/core/pipeline/src/access/api.ts
@@ -4,6 +4,7 @@ import { FormItemProps } from "../dt/index.js";
 export type AccessInputDefine = FormItemProps & {
   title: string;
   required?: boolean;
+  encrypt?: boolean;
 };
 export type AccessDefine = Registrable & {
   input?: {
diff --git a/packages/plugins/plugin-cert/src/access/eab-access.ts b/packages/plugins/plugin-cert/src/access/eab-access.ts
index 6a82097c7..241bca1c1 100644
--- a/packages/plugins/plugin-cert/src/access/eab-access.ts
+++ b/packages/plugins/plugin-cert/src/access/eab-access.ts
@@ -13,6 +13,7 @@ export class EabAccess {
     },
     helper: "EAB KID",
     required: true,
+    encrypt: true,
   })
   kid = "";
   @AccessInput({
@@ -22,6 +23,7 @@ export class EabAccess {
     },
     helper: "EAB HMAC Key",
     required: true,
+    encrypt: true,
   })
   hmacKey = "";
 }
diff --git a/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts b/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
index b941474fe..169bed720 100644
--- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
+++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
@@ -7,7 +7,7 @@ import { IContext } from "@certd/pipeline";
 import { IDnsProvider } from "../../dns-provider/index.js";
 import psl from "psl";
 import { ClientExternalAccountBindingOptions, UrlMapping } from "@certd/acme-client";
-
+import { utils } from "@certd/pipeline";
 export type CertInfo = {
   crt: string;
   key: string;
@@ -90,6 +90,13 @@ export class AcmeService {
     }
     if (this.options.useMappingProxy) {
       urlMapping.enabled = true;
+    } else {
+      //测试directory是否可以访问
+      const isOk = await this.testDirectory(directoryUrl);
+      if (!isOk) {
+        this.logger.info("测试访问失败，自动使用代理");
+        urlMapping.enabled = true;
+      }
     }
     const client = new acme.Client({
       directoryUrl: directoryUrl,
@@ -295,4 +302,19 @@ export class AcmeService {
       altNames,
     };
   }
+
+  private async testDirectory(directoryUrl: string) {
+    try {
+      await utils.http({
+        url: directoryUrl,
+        method: "GET",
+        timeout: 5000,
+      });
+    } catch (e) {
+      this.logger.error(`${directoryUrl}，测试访问失败`, e);
+      return false;
+    }
+    this.logger.info(`${directoryUrl}，测试访问成功`);
+    return true;
+  }
 }
diff --git a/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts b/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
index d9b5d5e06..3fc62c39b 100644
--- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
+++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
@@ -80,7 +80,8 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
       name: "pi-dns-provider-selector",
     },
     required: true,
-    helper: "请选择dns解析提供商",
+    helper:
+      "请选择dns解析提供商，您的域名是在哪里注册的，或者域名的dns解析服务器属于哪个平台\n如果这里没有您的dns解析提供商，您可以将域名解析服务器设置成上面的任意一个提供商",
   })
   dnsProviderType!: string;
 
@@ -108,7 +109,6 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
       name: "a-switch",
       vModel: "checked",
     },
-    maybeNeed: true,
     helper: "如果acme-v02.api.letsencrypt.org或dv.acme-v02.api.pki.goog被墙无法访问，请尝试开启此选项",
   })
   useProxy = false;
diff --git a/packages/ui/certd-client/package.json b/packages/ui/certd-client/package.json
index 4c7fbaf95..0564f8104 100644
--- a/packages/ui/certd-client/package.json
+++ b/packages/ui/certd-client/package.json
@@ -30,6 +30,7 @@
     "@fast-crud/ui-interface": "^1.21.2",
     "@iconify/vue": "^4.1.1",
     "@soerenmartius/vue3-clipboard": "^0.1.2",
+    "@vue-js-cron/light": "^4.0.5",
     "ant-design-vue": "^4.1.2",
     "axios": "^1.7.2",
     "axios-mock-adapter": "^1.22.0",
diff --git a/packages/ui/certd-client/src/components/cron-editor/index.vue b/packages/ui/certd-client/src/components/cron-editor/index.vue
new file mode 100644
index 000000000..a9ea62366
--- /dev/null
+++ b/packages/ui/certd-client/src/components/cron-editor/index.vue
@@ -0,0 +1,80 @@
+<template>
+  <div class="cron-editor">
+    <div class="flex-o">
+      <cron-light
+        :disabled="disabled"
+        :readonly="readonly"
+        :period="period"
+        class="flex-o cron-ant"
+        locale="zh-CN"
+        format="quartz"
+        :model-value="modelValue"
+        @update:model-value="onUpdate"
+        @error="onError"
+      />
+    </div>
+    <div class="mt-5">
+      <a-input :disabled="true" :readonly="readonly" :value="modelValue" @change="onChange"></a-input>
+    </div>
+    <div class="fs-helper">{{ errorMessage }}</div>
+  </div>
+</template>
+
+<script lang="ts" setup>
+import { ref } from "vue";
+const props = defineProps<{
+  modelValue?: string;
+  disabled?: boolean;
+  readonly?: boolean;
+}>();
+
+const period = ref<string>("day");
+
+const emit = defineEmits<{
+  "update:modelValue": any;
+}>();
+
+const errorMessage = ref<string | null>(null);
+
+const onUpdate = (value: string) => {
+  if (value === props.modelValue) {
+    return;
+  }
+  emit("update:modelValue", value);
+  errorMessage.value = undefined;
+};
+
+const onPeriod = (value: string) => {
+  period.value = value;
+};
+
+const onChange = (e: any) => {
+  const value = e.target.value;
+  onUpdate(value);
+};
+const onError = (error: any) => {
+  errorMessage.value = error;
+};
+</script>
+<style lang="less">
+.cron-editor {
+  .cron-ant {
+    flex-wrap: wrap;
+    &* > {
+      margin-bottom: 2px;
+      display: flex;
+      align-items: center;
+    }
+    .vcron-select-list {
+      min-width: 56px;
+    }
+    .vcron-select-input {
+      min-height: 22px;
+    }
+    .vcron-select-container {
+      display: flex;
+      align-items: center;
+    }
+  }
+}
+</style>
diff --git a/packages/ui/certd-client/src/components/index.ts b/packages/ui/certd-client/src/components/index.ts
index 1a522c5f3..07e3fce05 100644
--- a/packages/ui/certd-client/src/components/index.ts
+++ b/packages/ui/certd-client/src/components/index.ts
@@ -5,6 +5,9 @@ import PiOutputSelector from "../views/certd/pipeline/pipeline/component/output-
 import PiEditable from "./editable.vue";
 import VipButton from "./vip-button/index.vue";
 import { CheckCircleOutlined, InfoCircleOutlined, UndoOutlined } from "@ant-design/icons-vue";
+import CronEditor from "./cron-editor/index.vue";
+import { CronLight } from "@vue-js-cron/light";
+import "@vue-js-cron/light/dist/light.css";
 export default {
   install(app: any) {
     app.component("PiContainer", PiContainer);
@@ -13,6 +16,8 @@ export default {
     app.component("PiOutputSelector", PiOutputSelector);
     app.component("PiDnsProviderSelector", PiDnsProviderSelector);
     app.component("VipButton", VipButton);
+    app.component("CronLight", CronLight);
+    app.component("CronEditor", CronEditor);
 
     app.component("CheckCircleOutlined", CheckCircleOutlined);
     app.component("InfoCircleOutlined", InfoCircleOutlined);
diff --git a/packages/ui/certd-client/src/style/common.less b/packages/ui/certd-client/src/style/common.less
index decf1d22d..2f78e5168 100644
--- a/packages/ui/certd-client/src/style/common.less
+++ b/packages/ui/certd-client/src/style/common.less
@@ -64,7 +64,9 @@ h1, h2, h3, h4, h5, h6 {
   flex: 1;
 }
 
-
+.mb-2{
+  margin-bottom:2px;
+}
 .ml-5{
   margin-left:5px;
 }
@@ -84,6 +86,9 @@ h1, h2, h3, h4, h5, h6 {
 .mr-15{
   margin-right: 15px;
 }
+.mt-5{
+  margin-top:5px;
+}
 .mt-10{
   margin-top:10px;
 }
diff --git a/packages/ui/certd-client/src/views/certd/pipeline/certd-form/crud.tsx b/packages/ui/certd-client/src/views/certd/pipeline/certd-form/crud.tsx
index 77e7f1051..574554313 100644
--- a/packages/ui/certd-client/src/views/certd/pipeline/certd-form/crud.tsx
+++ b/packages/ui/certd-client/src/views/certd/pipeline/certd-form/crud.tsx
@@ -39,7 +39,8 @@ export default function (certPluginGroup: PluginGroup, formWrapperRef: any): Cre
       form: {
         wrapper: {
           width: "1150px",
-          saveRemind: false
+          saveRemind: false,
+          title: "创建证书申请流水线"
         }
       },
       columns: {
@@ -73,6 +74,8 @@ export default function (certPluginGroup: PluginGroup, formWrapperRef: any): Cre
           type: "text",
           form: {
             component: {
+              name: "cron-editor",
+              vModel: "modelValue",
               placeholder: "0 0 4 * * *"
             },
             helper: "请输入cron表达式, 例如：0 0 4 * * *，每天凌晨4点触发",
diff --git a/packages/ui/certd-client/src/views/certd/pipeline/crud.tsx b/packages/ui/certd-client/src/views/certd/pipeline/crud.tsx
index 273934878..f1127c43c 100644
--- a/packages/ui/certd-client/src/views/certd/pipeline/crud.tsx
+++ b/packages/ui/certd-client/src/views/certd/pipeline/crud.tsx
@@ -112,7 +112,7 @@ export default function ({ crudExpose, context: { certdFormRef } }: CreateCrudOp
           },
           addCertd: {
             order: 1,
-            text: "添加证书流水线",
+            text: "创建证书流水线",
             type: "primary",
             click() {
               addCertdPipeline();
diff --git a/packages/ui/certd-client/src/views/certd/pipeline/pipeline/component/trigger-form/index.vue b/packages/ui/certd-client/src/views/certd/pipeline/pipeline/component/trigger-form/index.vue
index eba102b34..99c5bff74 100644
--- a/packages/ui/certd-client/src/views/certd/pipeline/pipeline/component/trigger-form/index.vue
+++ b/packages/ui/certd-client/src/views/certd/pipeline/pipeline/component/trigger-form/index.vue
@@ -15,13 +15,7 @@
     </template>
     <template v-if="currentTrigger">
       <pi-container>
-        <a-form
-          ref="triggerFormRef"
-          class="trigger-form"
-          :model="currentTrigger"
-          :label-col="labelCol"
-          :wrapper-col="wrapperCol"
-        >
+        <a-form ref="triggerFormRef" class="trigger-form" :model="currentTrigger" :label-col="labelCol" :wrapper-col="wrapperCol">
           <fs-form-item
             v-model="currentTrigger.title"
             :item="{
@@ -59,8 +53,8 @@
               key: 'props.cron',
               component: {
                 disabled: !editMode,
-                name: 'a-input',
-                vModel: 'value'
+                name: 'cron-editor',
+                vModel: 'modelValue'
               },
               helper: 'cron表达式，例如： 0 0 3 * * * ，表示每天凌晨3点触发',
               rules: [{ required: true, message: '此项必填' }]
diff --git a/packages/ui/certd-server/db/migration-pg/v10008__access_encrypt.sql b/packages/ui/certd-server/db/migration-pg/v10008__access_encrypt.sql
new file mode 100644
index 000000000..515325517
--- /dev/null
+++ b/packages/ui/certd-server/db/migration-pg/v10008__access_encrypt.sql
@@ -0,0 +1 @@
+alter table cd_access  add "encrypt_setting" text;
diff --git a/packages/ui/certd-server/db/migration/v10007__access_text.sql b/packages/ui/certd-server/db/migration/v10007__access_text.sql
new file mode 100644
index 000000000..e69de29bb
diff --git a/packages/ui/certd-server/db/migration/v10008__access_encrypt.sql b/packages/ui/certd-server/db/migration/v10008__access_encrypt.sql
new file mode 100644
index 000000000..e179d605d
--- /dev/null
+++ b/packages/ui/certd-server/db/migration/v10008__access_encrypt.sql
@@ -0,0 +1,2 @@
+alter table cd_access  add COLUMN "encrypt_setting" text;
+
diff --git a/packages/ui/certd-server/src/config/config.default.ts b/packages/ui/certd-server/src/config/config.default.ts
index 0fb389d9e..d5a1ffc05 100644
--- a/packages/ui/certd-server/src/config/config.default.ts
+++ b/packages/ui/certd-server/src/config/config.default.ts
@@ -12,13 +12,11 @@ import { PipelineEntity } from '../modules/pipeline/entity/pipeline.js';
 //import { logger } from '../utils/logger';
 // load .env file in process.cwd
 import { mergeConfig } from './loader.js';
-import { Keys } from './keys.js';
 
 const env = process.env.NODE_ENV || 'development';
 
-const keys = Keys.load();
 const development = {
-  keys: keys.cookieKeys,
+  keys: 'certd',
   koa: {
     port: 7001,
   },
@@ -78,7 +76,6 @@ const development = {
 
   auth: {
     jwt: {
-      secret: keys.jwtKey,
       expire: 7 * 24 * 60 * 60, //单位秒
     },
   },
diff --git a/packages/ui/certd-server/src/config/keys.ts b/packages/ui/certd-server/src/config/keys.ts
deleted file mode 100644
index ebab080b6..000000000
--- a/packages/ui/certd-server/src/config/keys.ts
+++ /dev/null
@@ -1,31 +0,0 @@
-import fs from 'fs';
-import yaml from 'js-yaml';
-import * as _ from 'lodash-es';
-import { nanoid } from 'nanoid';
-import path from 'path';
-const KEYS_FILE = './data/keys.yaml';
-export class Keys {
-  jwtKey: string = nanoid();
-  cookieKeys: string[] = [nanoid()];
-
-  static load(): Keys {
-    const keys = new Keys();
-    if (fs.existsSync(KEYS_FILE)) {
-      const content = fs.readFileSync(KEYS_FILE, 'utf8');
-      const json = yaml.load(content);
-      _.merge(keys, json);
-    }
-    keys.save();
-    return keys;
-  }
-
-  save() {
-    const parent = path.dirname(KEYS_FILE);
-    if (!fs.existsSync(parent)) {
-      fs.mkdirSync(parent, {
-        recursive: true,
-      });
-    }
-    fs.writeFileSync(KEYS_FILE, yaml.dump(this));
-  }
-}
diff --git a/packages/ui/certd-server/src/middleware/authority.ts b/packages/ui/certd-server/src/middleware/authority.ts
index 271e65a8b..f4fefde44 100644
--- a/packages/ui/certd-server/src/middleware/authority.ts
+++ b/packages/ui/certd-server/src/middleware/authority.ts
@@ -1,21 +1,31 @@
-import { Config, Inject, MidwayWebRouterService, Provide } from '@midwayjs/core';
+import { Init, Inject, MidwayWebRouterService, Provide, Scope, ScopeEnum } from '@midwayjs/core';
 import { IMidwayKoaContext, IWebMiddleware, NextFunction } from '@midwayjs/koa';
 import jwt from 'jsonwebtoken';
 import { Constants } from '../basic/constants.js';
 import { logger } from '../utils/logger.js';
 import { AuthService } from '../modules/authority/service/auth-service.js';
+import { SysSettingsService } from '../modules/system/service/sys-settings-service.js';
+import { SysPrivateSettings } from '../modules/system/service/models.js';
 
 /**
  * 权限校验
  */
 @Provide()
+@Scope(ScopeEnum.Singleton)
 export class AuthorityMiddleware implements IWebMiddleware {
-  @Config('auth.jwt.secret')
-  private secret: string;
   @Inject()
   webRouterService: MidwayWebRouterService;
   @Inject()
   authService: AuthService;
+  @Inject()
+  sysSettingsService: SysSettingsService;
+
+  secret: string;
+  @Init()
+  async init() {
+    const setting: SysPrivateSettings = await this.sysSettingsService.getSetting(SysPrivateSettings);
+    this.secret = setting.jwtKey;
+  }
 
   resolve() {
     return async (ctx: IMidwayKoaContext, next: NextFunction) => {
diff --git a/packages/ui/certd-server/src/modules/auto/auto-init-site.ts b/packages/ui/certd-server/src/modules/auto/auto-init-site.ts
index 01f844c55..15ff2746b 100644
--- a/packages/ui/certd-server/src/modules/auto/auto-init-site.ts
+++ b/packages/ui/certd-server/src/modules/auto/auto-init-site.ts
@@ -3,9 +3,9 @@ import { logger } from '../../utils/logger.js';
 import { UserService } from '../authority/service/user-service.js';
 import { SysSettingsService } from '../system/service/sys-settings-service.js';
 import { nanoid } from 'nanoid';
-import { SysInstallInfo, SysLicenseInfo } from '../system/service/models.js';
+import { SysInstallInfo, SysLicenseInfo, SysPrivateSettings } from '../system/service/models.js';
 import { verify } from '@certd/pipeline';
-
+import crypto from 'crypto';
 export type InstallInfo = {
   installTime: number;
   instanceId?: string;
@@ -23,6 +23,7 @@ export class AutoInitSite {
   @Init()
   async init() {
     logger.info('初始化站点开始');
+    //安装信息
     const installInfo: SysInstallInfo = await this.sysSettingsService.getSetting(SysInstallInfo);
     if (!installInfo.siteId) {
       installInfo.siteId = nanoid();
@@ -33,6 +34,19 @@ export class AutoInitSite {
       await this.sysSettingsService.saveSetting(installInfo);
     }
 
+    //private信息
+    const privateInfo = await this.sysSettingsService.getSetting<SysPrivateSettings>(SysPrivateSettings);
+    if (!privateInfo.jwtKey) {
+      privateInfo.jwtKey = nanoid();
+      await this.sysSettingsService.saveSetting(privateInfo);
+    }
+
+    if (!privateInfo.encryptSecret) {
+      const secretKey = crypto.randomBytes(32);
+      privateInfo.encryptSecret = secretKey.toString('base64');
+      await this.sysSettingsService.saveSetting(privateInfo);
+    }
+
     // 授权许可
     const licenseInfo: SysLicenseInfo = await this.sysSettingsService.getSetting(SysLicenseInfo);
     const req = {
diff --git a/packages/ui/certd-server/src/modules/login/service/login-service.ts b/packages/ui/certd-server/src/modules/login/service/login-service.ts
index 1d3dae874..722677ac2 100644
--- a/packages/ui/certd-server/src/modules/login/service/login-service.ts
+++ b/packages/ui/certd-server/src/modules/login/service/login-service.ts
@@ -4,6 +4,8 @@ import jwt from 'jsonwebtoken';
 import { CommonException } from '../../../basic/exception/common-exception.js';
 import { RoleService } from '../../authority/service/role-service.js';
 import { UserEntity } from '../../authority/entity/user.js';
+import { SysSettingsService } from '../../system/service/sys-settings-service.js';
+import { SysPrivateSettings } from '../../system/service/models.js';
 
 /**
  * 系统用户
@@ -17,6 +19,9 @@ export class LoginService {
   @Config('auth.jwt')
   private jwt: any;
 
+  @Inject()
+  sysSettingsService: SysSettingsService;
+
   /**
    * login
    */
@@ -47,7 +52,11 @@ export class LoginService {
       roles: roleIds,
     };
     const expire = this.jwt.expire;
-    const token = jwt.sign(tokenInfo, this.jwt.secret, {
+
+    const setting = await this.sysSettingsService.getSetting<SysPrivateSettings>(SysPrivateSettings);
+    const jwtSecret = setting.jwtKey;
+
+    const token = jwt.sign(tokenInfo, jwtSecret, {
       expiresIn: expire,
     });
 
diff --git a/packages/ui/certd-server/src/modules/pipeline/controller/access-controller.ts b/packages/ui/certd-server/src/modules/pipeline/controller/access-controller.ts
index cc68200ae..42f6b6d3f 100644
--- a/packages/ui/certd-server/src/modules/pipeline/controller/access-controller.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/controller/access-controller.ts
@@ -1,12 +1,4 @@
-import {
-  ALL,
-  Body,
-  Controller,
-  Inject,
-  Post,
-  Provide,
-  Query,
-} from '@midwayjs/core';
+import { ALL, Body, Controller, Inject, Post, Provide, Query } from '@midwayjs/core';
 import { CrudController } from '../../../basic/crud-controller.js';
 import { AccessService } from '../service/access-service.js';
 import { Constants } from '../../../basic/constants.js';
@@ -28,7 +20,7 @@ export class AccessController extends CrudController<AccessService> {
   async page(@Body(ALL) body) {
     body.query = body.query ?? {};
     body.query.userId = this.ctx.user.id;
-    return super.page(body);
+    return await super.page(body);
   }
 
   @Post('/list', { summary: Constants.per.authOnly })
diff --git a/packages/ui/certd-server/src/modules/pipeline/entity/access.ts b/packages/ui/certd-server/src/modules/pipeline/entity/access.ts
index 8855c1ebf..d69128c72 100644
--- a/packages/ui/certd-server/src/modules/pipeline/entity/access.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/entity/access.ts
@@ -15,9 +15,12 @@ export class AccessEntity {
   @Column({ comment: '类型', length: 100 })
   type: string;
 
-  @Column({ name: 'setting', comment: '设置', length: 1024, nullable: true })
+  @Column({ name: 'setting', comment: '设置', length: 10240, nullable: true })
   setting: string;
 
+  @Column({ name: 'encrypt_setting', comment: '已加密设置', length: 10240, nullable: true })
+  encryptSetting: string;
+
   @Column({
     name: 'create_time',
     comment: '创建时间',
diff --git a/packages/ui/certd-server/src/modules/pipeline/service/access-service.ts b/packages/ui/certd-server/src/modules/pipeline/service/access-service.ts
index 5ef3b6978..9644a51e3 100644
--- a/packages/ui/certd-server/src/modules/pipeline/service/access-service.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/service/access-service.ts
@@ -1,33 +1,127 @@
-import { Provide, Scope, ScopeEnum } from '@midwayjs/core';
+import { Inject, Provide, Scope, ScopeEnum } from '@midwayjs/core';
 import { InjectEntityModel } from '@midwayjs/typeorm';
 import { Repository } from 'typeorm';
 import { BaseService } from '../../../basic/base-service.js';
 import { AccessEntity } from '../entity/access.js';
-import { accessRegistry, IAccessService } from '@certd/pipeline';
+import { AccessDefine, accessRegistry, IAccessService } from '@certd/pipeline';
+import { EncryptService } from './encrypt-service.js';
+import { ValidateException } from '../../../basic/exception/validation-exception.js';
 
 /**
  * 授权
  */
 @Provide()
 @Scope(ScopeEnum.Singleton)
-export class AccessService
-  extends BaseService<AccessEntity>
-  implements IAccessService
-{
+export class AccessService extends BaseService<AccessEntity> implements IAccessService {
   @InjectEntityModel(AccessEntity)
   repository: Repository<AccessEntity>;
 
+  @Inject()
+  encryptService: EncryptService;
+
   getRepository() {
     return this.repository;
   }
 
+  async page(query, page = { offset: 0, limit: 20 }, order, buildQuery) {
+    const res = await super.page(query, page, order, buildQuery);
+    res.records = res.records.map(item => {
+      delete item.encryptSetting;
+      return item;
+    });
+    return res;
+  }
+
+  async add(param) {
+    this.encryptSetting(param, null);
+    return await super.add(param);
+  }
+
+  encryptSetting(param: any, oldSettingEntity?: AccessEntity) {
+    const accessType = param.type;
+    const accessDefine: AccessDefine = accessRegistry.getDefine(accessType);
+    if (!accessDefine) {
+      throw new ValidateException(`授权类型${accessType}不存在`);
+    }
+    const setting = param.setting;
+    if (!setting) {
+      return;
+    }
+    const json = JSON.parse(setting);
+    let oldSetting = {};
+    let encryptSetting = {};
+    const firstEncrypt = !oldSettingEntity.encryptSetting || oldSettingEntity.encryptSetting === '{}';
+    if (oldSettingEntity) {
+      oldSetting = JSON.parse(oldSettingEntity.setting || '{}');
+      encryptSetting = JSON.parse(oldSettingEntity.encryptSetting || '{}');
+    }
+    for (const key in json) {
+      //加密
+      const value = json[key];
+      const accessInputDefine = accessDefine.input[key];
+      if (!accessInputDefine) {
+        throw new ValidateException(`授权类型${accessType}不存在字段${key}`);
+      }
+      if (!accessInputDefine.encrypt || !value || typeof value !== 'string') {
+        //定义无需加密、value为空、不是字符串 这些不需要加密
+        encryptSetting[key] = {
+          value: value,
+          encrypt: false,
+        };
+        continue;
+      }
+
+      if (firstEncrypt || oldSetting[key] !== value) {
+        //星号保护
+        const length = value.length;
+        const subIndex = Math.min(2, length);
+        const starLength = length - subIndex * 2;
+        const starString = '*'.repeat(starLength);
+        json[key] = value.substring(0, subIndex) + starString + value.substring(value.length - subIndex);
+        encryptSetting[key] = {
+          value: this.encryptService.encrypt(value),
+          encrypt: true,
+        };
+      }
+      //未改变情况下，不做修改
+    }
+    param.encryptSetting = JSON.stringify(encryptSetting);
+    param.setting = JSON.stringify(json);
+  }
+  /**
+   * 修改
+   * @param param 数据
+   */
+  async update(param) {
+    const oldEntity = await this.info(param.id);
+    if (oldEntity == null) {
+      throw new ValidateException('该授权配置不存在,请确认是否已被删除');
+    }
+    this.encryptSetting(param, oldEntity);
+    return await super.update(param);
+  }
+
   async getById(id: any): Promise<any> {
     const entity = await this.info(id);
     if (entity == null) {
       throw new Error(`该授权配置不存在,请确认是否已被删除:id=${id}`);
     }
     // const access = accessRegistry.get(entity.type);
-    const setting = JSON.parse(entity.setting);
+    let setting = {};
+    if (entity.encryptSetting && entity.encryptSetting !== '{}') {
+      setting = JSON.parse(entity.encryptSetting);
+      for (const key in setting) {
+        //解密
+        const encryptValue = setting[key];
+        let value = encryptValue.value;
+        if (encryptValue.encrypt) {
+          value = this.encryptService.decrypt(value);
+        }
+        setting[key] = value;
+      }
+    } else if (entity.setting) {
+      setting = JSON.parse(entity.setting);
+    }
     return {
       id: entity.id,
       ...setting,
diff --git a/packages/ui/certd-server/src/modules/pipeline/service/dns-provider-service.ts b/packages/ui/certd-server/src/modules/pipeline/service/dns-provider-service.ts
index 0037d65f5..32006ad33 100644
--- a/packages/ui/certd-server/src/modules/pipeline/service/dns-provider-service.ts
+++ b/packages/ui/certd-server/src/modules/pipeline/service/dns-provider-service.ts
@@ -1,7 +1,7 @@
-import { Provide, Scope, ScopeEnum } from '@midwayjs/core';
+import { Provide } from '@midwayjs/core';
 import { dnsProviderRegistry } from '@certd/plugin-cert';
+
 @Provide()
-@Scope(ScopeEnum.Singleton)
 export class DnsProviderService {
   getList() {
     return dnsProviderRegistry.getDefineList();
diff --git a/packages/ui/certd-server/src/modules/pipeline/service/encrypt-service.ts b/packages/ui/certd-server/src/modules/pipeline/service/encrypt-service.ts
new file mode 100644
index 000000000..0237e7951
--- /dev/null
+++ b/packages/ui/certd-server/src/modules/pipeline/service/encrypt-service.ts
@@ -0,0 +1,44 @@
+import { Init, Inject, Provide, Scope, ScopeEnum } from '@midwayjs/core';
+import crypto from 'crypto';
+import { SysSettingsService } from '../../system/service/sys-settings-service.js';
+import { SysPrivateSettings } from '../../system/service/models.js';
+
+/**
+ * 授权
+ */
+@Provide()
+@Scope(ScopeEnum.Singleton)
+export class EncryptService {
+  secretKey: Buffer;
+
+  @Inject()
+  sysSettingService: SysSettingsService;
+
+  @Init()
+  async init() {
+    const privateInfo: SysPrivateSettings = await this.sysSettingService.getSetting(SysPrivateSettings);
+    this.secretKey = Buffer.from(privateInfo.encryptSecret, 'base64');
+  }
+
+  // 加密函数
+  encrypt(text: string) {
+    const iv = crypto.randomBytes(16); // 初始化向量
+    // const secretKey = crypto.randomBytes(32);
+    // const key = Buffer.from(secretKey);
+    const cipher = crypto.createCipheriv('aes-256-cbc', this.secretKey, iv);
+    let encrypted = cipher.update(text);
+    encrypted = Buffer.concat([encrypted, cipher.final()]);
+    return iv.toString('hex') + ':' + encrypted.toString('hex');
+  }
+
+  // 解密函数
+  decrypt(encryptedText: string) {
+    const textParts = encryptedText.split(':');
+    const iv = Buffer.from(textParts.shift(), 'hex');
+    const encrypted = Buffer.from(textParts.join(':'), 'hex');
+    const decipher = crypto.createDecipheriv('aes-256-cbc', Buffer.from(this.secretKey), iv);
+    let decrypted = decipher.update(encrypted);
+    decrypted = Buffer.concat([decrypted, decipher.final()]);
+    return decrypted.toString();
+  }
+}
diff --git a/packages/ui/certd-server/src/modules/system/service/models.ts b/packages/ui/certd-server/src/modules/system/service/models.ts
index 2e3a1797e..d0c33568b 100644
--- a/packages/ui/certd-server/src/modules/system/service/models.ts
+++ b/packages/ui/certd-server/src/modules/system/service/models.ts
@@ -19,6 +19,8 @@ export class SysPrivateSettings extends BaseSettings {
   static __title__ = '系统私有设置';
   static __access__ = 'private';
   static __key__ = 'sys.private';
+  jwtKey?: string;
+  encryptSecret?: string;
 }
 
 export class SysInstallInfo extends BaseSettings {
diff --git a/packages/ui/certd-server/src/plugins/plugin-aliyun/access/aliyun-access.ts b/packages/ui/certd-server/src/plugins/plugin-aliyun/access/aliyun-access.ts
index d7ec28ce0..248e79505 100644
--- a/packages/ui/certd-server/src/plugins/plugin-aliyun/access/aliyun-access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-aliyun/access/aliyun-access.ts
@@ -21,6 +21,7 @@ export class AliyunAccess {
       placeholder: 'accessKeySecret',
     },
     required: true,
+    encrypt: true,
   })
   accessKeySecret = '';
 }
diff --git a/packages/ui/certd-server/src/plugins/plugin-cloudflare/access.ts b/packages/ui/certd-server/src/plugins/plugin-cloudflare/access.ts
index d14a12c75..1ec9c5774 100644
--- a/packages/ui/certd-server/src/plugins/plugin-cloudflare/access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-cloudflare/access.ts
@@ -20,6 +20,7 @@ export class CloudflareAccess {
     },
     helper: '前往 https://dash.cloudflare.com/profile/api-tokens 获取API令牌， token权限必须包含：[Zone区域-Zone区域-Edit编辑], [Zone区域-DNS-Edit编辑]',
     required: true,
+    encrypt: true,
   })
   apiToken = '';
 }
diff --git a/packages/ui/certd-server/src/plugins/plugin-demo/access.ts b/packages/ui/certd-server/src/plugins/plugin-demo/access.ts
index 345a204a0..fa3c77e7a 100644
--- a/packages/ui/certd-server/src/plugins/plugin-demo/access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-demo/access.ts
@@ -34,6 +34,7 @@ export class DemoAccess implements IAccess {
     },
     //是否必填
     required: true,
+    encrypt: true,
   })
   //属性名称
   demoKeySecret = '';
diff --git a/packages/ui/certd-server/src/plugins/plugin-host/access/ssh-access.ts b/packages/ui/certd-server/src/plugins/plugin-host/access/ssh-access.ts
index 64560eea8..e5bad29a8 100644
--- a/packages/ui/certd-server/src/plugins/plugin-host/access/ssh-access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-host/access/ssh-access.ts
@@ -38,6 +38,7 @@ export class SshAccess implements IAccess, ConnectConfig {
       name: 'a-input-password',
       vModel: 'value',
     },
+    encrypt: true,
     helper: '登录密码或密钥必填一项',
   })
   password!: string;
@@ -48,6 +49,7 @@ export class SshAccess implements IAccess, ConnectConfig {
       name: 'a-textarea',
       vModel: 'value',
     },
+    encrypt: true,
   })
   privateKey!: string;
 
@@ -58,6 +60,7 @@ export class SshAccess implements IAccess, ConnectConfig {
       name: 'a-input-password',
       vModel: 'value',
     },
+    encrypt: true,
   })
   passphrase!: string;
 
diff --git a/packages/ui/certd-server/src/plugins/plugin-huawei/access/huawei-access.ts b/packages/ui/certd-server/src/plugins/plugin-huawei/access/huawei-access.ts
index bfcae7bbd..a807bb54c 100644
--- a/packages/ui/certd-server/src/plugins/plugin-huawei/access/huawei-access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-huawei/access/huawei-access.ts
@@ -21,6 +21,7 @@ export class HuaweiAccess {
       placeholder: 'accessKeySecret',
     },
     required: true,
+    encrypt: true,
   })
   accessKeySecret = '';
 }
diff --git a/packages/ui/certd-server/src/plugins/plugin-other/access/k8s-access.ts b/packages/ui/certd-server/src/plugins/plugin-other/access/k8s-access.ts
index 70811b24a..2e054fa5b 100644
--- a/packages/ui/certd-server/src/plugins/plugin-other/access/k8s-access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-other/access/k8s-access.ts
@@ -14,6 +14,7 @@ export class K8sAccess {
       placeholder: 'kubeconfig',
     },
     required: true,
+    encrypt: true,
   })
   kubeconfig = '';
 }
diff --git a/packages/ui/certd-server/src/plugins/plugin-tencent/access/dnspod-access.ts b/packages/ui/certd-server/src/plugins/plugin-tencent/access/dnspod-access.ts
index fc7bf2ca8..c4f931370 100644
--- a/packages/ui/certd-server/src/plugins/plugin-tencent/access/dnspod-access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-tencent/access/dnspod-access.ts
@@ -35,6 +35,7 @@ export class DnspodAccess {
     component: {
       placeholder: '开放接口token',
     },
+    encrypt: true,
     rules: [{ required: true, message: '该项必填' }],
   })
   token = '';
diff --git a/packages/ui/certd-server/src/plugins/plugin-tencent/access/tencent-access.ts b/packages/ui/certd-server/src/plugins/plugin-tencent/access/tencent-access.ts
index 234a58e72..3a9cbb38f 100644
--- a/packages/ui/certd-server/src/plugins/plugin-tencent/access/tencent-access.ts
+++ b/packages/ui/certd-server/src/plugins/plugin-tencent/access/tencent-access.ts
@@ -19,6 +19,7 @@ export class TencentAccess {
     component: {
       placeholder: 'secretKey',
     },
+    encrypt: true,
     rules: [{ required: true, message: '该项必填' }],
   })
   secretKey = '';