我尝试创建具有特定加密参数值的自签名证书。
在运行PowerShell 5.0的Win Server 2012 r2标准上,当我尝试使用
时New-SelfSignedCertificate
我收到错误:
New-SelfSignedCertificate:找不到与参数名称匹配的参数'主题'。
当我尝试使用-Subject参数时,除了笔记本电脑上允许的其他参数之外,该参数不会出现在智能感知中。
但是在我的笔记本电脑上(Win 10和PowerShell 5.0),我可以使用这些参数,并使用以下代码创建自签名证书
#create a Certificate
# OID for document encryption
$Oid = New-Object System.Security.Cryptography.Oid "1.3.6.1.4.1.311.80.1"
$oidCollection = New-Object System.Security.Cryptography.OidCollection
$oidCollection.Add($oid) > $Null
# Create enhanced key usage extension that allows document encryption
$Ext = New-Object System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension $oidCollection, $true
$myCert = New-SelfSignedCertificate -Subject 'CN=myservernameasubject' -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec KeyExchange -KeyUsage KeyEncipherment, DataEncipherment -Extension $Ext
答案 0 :(得分:12)
使用-DnsName而不使用CN=。
从PowerShell帮助:
-DnsName <String>指定一个或多个DNS名称,以便在证书有效时放入证书的“使用者备用名称”扩展名 复制不是通过CloneCert参数指定的。 第一个DNS 名称也会保存为主题名称和颁发者名称。
不幸的是,Windows Server 2012 R2和Windows 8.1中的New-SelfSignedCertificate不支持-KeySpec和其他相关选项。否则,您正在查看三个选项之一以生成所需的证书;在How to create a self-signed certificate using C#?的答案中调整基于COM对象的代码以在PowerShell中使用,使用外部可执行文件(如makecert.exe),或在其他位置生成证书/密钥对,然后将其导入另一台计算机上的证书存储区。
更新:经过进一步研究,看起来在PowerShell中调整基于COM的代码是一个不错的选择。我找到了Vishal Agarwal的博客文章Generating a certificate (self-signed) using powershell and CertEnroll interfaces,它提供了以下PowerShell代码:
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=TestServer", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(90)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
答案 1 :(得分:0)
以下对自签名选项的效果很好......
New-SelfSignedCertificate -DnsName "*.costoso100.com" -CertStoreLocation "cert:\LocalMachine\My"
我能够在大约15分钟内导出和设置LDAPS。