我正在尝试使用PowerShell创建自签名证书,以便在开发环境中加密和解密数据。我使用了优秀的New-SelfSignedCertificateEx PowerShell script。我的操作系统是Windows 10,我安装了Windows Management Framework 5.0。这是脚本:
New-SelfSignedCertificateEx `
-Subject "CN=Test, OU=Development" `
-NotAfter ([DateTime]::Parse('2099-12-31 11:59:59.9999999')) `
-ProviderName "Microsoft Software Key Storage Provider" `
-AlgorithmName ECDH_P256 `
-KeyLength 4096 `
-KeySpec Exchange `
-KeyUsage DataEncipherment `
-IsCA $false `
-SignatureAlgorithm SHA256 `
-FriendlyName Test `
-StoreLocation LocalMachine `
-StoreName My `
-Exportable
执行脚本会返回以下错误:
New-SelfSignedCertificateEx : CertEnroll::CX509PrivateKey::Create: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
At C:\create-self-signed-certificate.ps1:7 char:1
+ New-SelfSignedCertificateEx `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [New-SelfSignedCertificateEx], COMException
+ FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,New-SelfSignedCertificateEx
我研究了错误但找不到与我的问题直接相关的任何内容。我选择使用密钥存储提供程序代替旧版CSP。
我应该为KeySpec,KeyUsage和EnhancedKeyUsage参数使用哪些值?此证书的目的仅用于加密和解密任意字符串(无TLS,无代码签名等)
答案 0 :(得分:2)
正如您似乎已经发现的那样,问题是您在指定NIST-P256时为KeySize指定了值4096。对于RSA和DSA,KeySize大多是任意的,但是使用椭圆曲线算法,KeySize由曲线的顺序强制(1 <= d <= n,其中d是私钥,n是订单)
所以你不能真正选择KeySize,它不会选择曲线。