Question

我在Azure下有一个WebApp，它使用SSL绑定证书（已通过Azure门户生成）。我想使用Azure Powershell检索此SSL证书的公钥（PEM文件）。我已经使用mycertificate.GetPublicKeyString（）函数设法在C＃后台提取了公钥，但是我不知道如何在PowerShell下实现这一点。你有主意吗？

非常感谢。

Answer 1

您可以使用Get-PfxCertificate从PKCS＃12存档（.pfx / .p12）中提取公共证书

$pfx = Get-PfxCertificate -FilePath C:\archive.pfx
$pem = [Convert]::ToBase64String($pfx.GetRawCertData())

Answer 2

我写了一个脚本来做到这一点；除了它提取私钥。成功的关键是以 Pkcs8 格式导出您的公钥。如果您改用 GetRSAPublicKey，这应该会引导您导出公钥 PEM。

<#
    FileName: pfx-2-pem.ps1
    Author: rashadrivera.com
    Description: This PowerShell script converts a PFX file into PEM format for use in WebPack's
                 Dev Server configurations.  This script is an alternative to using the common
                 OpenSSL, open-source tool; which is an untrusted, unmaintained, security risk.
#>

param (

    [Parameter(Mandatory=$true, HelpMessage="Path to your PFX file")]
    [string] $pfxPath,

    [Parameter(Mandatory=$false, HelpMessage="Optional PFX password")]
    [string] $pfxPassword,

    [Parameter(Mandatory=$false, HelpMessage="File path for certificate PEM export")]
    [string] $certFile = ".\your.cer.as.pem",

    [Parameter(Mandatory=$false, HelpMessage="Path to your private-key PEM export")]
    [string] $pvkFile = ".\your.private-key.as.pem"
)

$IMPORT_PFX_EXPORT_OPTIONS = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$HAS_PASSWORD = -Not([System.String]::IsNullOrEmpty($pfxPassword))

function Main() {

    [System.IO.Directory]::SetCurrentDirectory($(Get-Location))

    _validateParameters

    if (-NOT($HAS_PASSWORD)) {
        # Ensure NULL instead of empty or white-space string
        $pfxPassword = $null
    }

    $pfxAsCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($pfxPath, $pfxPassword, $IMPORT_PFX_EXPORT_OPTIONS)

    _exportCertPEM $pfxAsCertificate $certFile
    _exportPrivateKeyPEM $pfxAsCertificate $pvkFile
}

function _exportCertPEM([System.Security.Cryptography.X509Certificates.X509Certificate2]$pfx, [System.String] $outputPath) {

    $base64CertText = [System.Convert]::ToBase64String($pfx.RawData, "InsertLineBreaks")

    $out = New-Object String[] -ArgumentList 3

    $out[0] = "-----BEGIN CERTIFICATE-----"
    $out[1] = $base64CertText
    $out[2] = "-----END CERTIFICATE-----"

    [System.IO.File]::WriteAllLines($outputPath, $out)
}

function _exportPrivateKeyPEM([System.Security.Cryptography.X509Certificates.X509Certificate2]$pfx, [System.String] $outputPath) {

    $key = _extractCngKeyFromCert $pfx

    $base64CertText = [System.Convert]::ToBase64String($key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob), "InsertLineBreaks");

    $out = New-Object String[] -ArgumentList 3

    $out[0] = "-----BEGIN PRIVATE KEY-----"
    $out[1] = $base64CertText
    $out[2] = "-----END PRIVATE KEY-----"

    [System.IO.File]::WriteAllLines($outputPath,$out)
}

function _extractCngKeyFromCert([System.Security.Cryptography.X509Certificates.X509Certificate2]$pfx) {

    $algorithmAsOidString = $pfx.GetKeyAlgorithm()
    $algorithmAsOid = [System.Security.Cryptography.Oid]::new($algorithmAsOidString)

    if ($algorithmAsOid.FriendlyName -eq "RSA") {

        $rsa = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($pfx)
        $rsaCng = ([System.Security.Cryptography.RSACng]$rsa)
        return $rsaCng.Key
    } elseif ($algorithmAsOid.FriendlyName -eq "ECC") {

        $ecDsa = [System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions]::GetECDsaPrivateKey($pfx)
        $ecDsaCng = ([System.Security.Cryptography.ECDsaCng]$ecDsa)
        return $ecDsaCng.Key
    } else {

        throw "Certificate algorithm of '$algorithmAsOid.FriendlyName' is not supported"
    }
}

function _validateFilePathString($path) {

    try {

        [System.IO.FileInfo]::new($path) > $null
    } catch {

        throw "File path '$path' is invalid: $PSItem.Exception.Message"
    }
}

function _validateParameters() {

    if (-Not([System.IO.File]::Exists($pfxPath))) {

        throw "PFX file '$pfx' was not found"
    }
    try {

        if ($HAS_PASSWORD) {

            [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($pfxPath, $pfxPassword, $IMPORT_PFX_EXPORT_OPTIONS) > $null
        } else {

            [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($pfxPath, $null, $IMPORT_PFX_EXPORT_OPTIONS) > $null
        }
    } catch {

        if ($hasPassword) {

            throw "Source path of '$sourcePath' is not an X509 certificate file or the password specified is incorrect.  Error: `r`n$PSItem.Exception.Message"
        } else {

            throw "Source path of '$sourcePath' is not an X509 certificate file OR a password is required. Error: `r`n$PSItem.Exception.Message"
        }
    }
    _validateFilePathString($certFile)
    _validateFilePathString($pvkFile)
}

Main

Answer 3

我找到了这篇文章：

https://blogs.msdn.microsoft.com/appserviceteam/2017/02/24/creating-a-local-pfx-copy-of-app-service-certificate/

在$ pfxCertObject上，您可以调用：$ pfxCertObject.GetPublicKeyString（），以十六进制模式为您提供公钥。

使用https://holtstrom.com/michael/tools/hextopem.php可以将其转换为PEM格式。

希望这会有所帮助。

Azure PowerShell-从SSL证书提取PEM

3 个答案: