使用Windows PowerShell / .Net创建证书和CSR,而无需使用外部程序或库

时间:2018-11-20 11:30:02

标签: powershell certificate ssl-certificate x509certificate2 pki

我想创建一个私钥和一个CSR,将CSR提交给证书颁发机构,在颁发证书后检索证书,并将私钥和证书作为单独的PEM文件,适合在非Microsoft应用程序中使用(它们通常是网络服务器)。我想避免在Windows Server 2016的Windows PowerShell中使用Java Keytool或OpenSSL生成密钥和证书签名请求。CSR将提交给Microsoft Active Directory证书服务。

需要证书的计算机上没有(也不会)安装OpenSSL和Java。由于证书是针对非Microsoft应用程序的,因此我也要避免在计算机上使用证书存储。我不介意使用“ certreq”来实际提交完整的CSR并在批准后检索生成的证书。

我有一些基于C# Export Private/Public RSA key from RSACryptoServiceProvider to PEM string的代码,该代码将从X509Certificate2中提取私钥。到目前为止,作为一个实验,我已经将它成功地用于PKCS12密钥库(密钥和CSR是通过Keytool创建的)。

Automate the process of creating a private key, a CSR and a final Signed Certificate in .NET Core的启发,我将以下内容融合在一起,但用尽了灵感,并不真正知道自己在做什么。如何完成将CSR提交给CA的过程(或将CSR作为文件输出以供certreq使用)?

[int]$KeyLength = 2048
$ComputerName = "jon"
$Domain = "domain.local"
[string]$DistinguishedName = "CN=$($ComputerName).$($Domain),OU=Unit,O=Org,C=GB"
$HashAlgo = [System.Security.Cryptography.HashAlgorithmName]::SHA256
$RSASigPadding = [System.Security.Cryptography.RSASignaturePadding]::Pkcs1

$RSAKey = [System.Security.Cryptography.RSA]::Create($KeyLength)
$Certificate = [System.Security.Cryptography.X509Certificates.CertificateRequest]::new($DistinguishedName,$RSAKey,$HashAlgo,$RSASigPadding)

# Add Basic Constraints
$BasicConstraints = [System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($false,$false,0,$false)
$BCExtension = [System.Security.Cryptography.X509Certificates.X509Extension]::new($BasicConstraints,$false)
$Certificate.CertificateExtensions.Add($BCExtension)

# Add Subject Key Identifier extension
$SubjectKeyIdentifier = [System.Security.Cryptography.X509Certificates.X509SubjectKeyIdentifierExtension]::new($Certificate.PublicKey,$false)
$SKIExtension = [System.Security.Cryptography.X509Certificates.X509Extension]::new($SubjectKeyIdentifier,$false)
$Certificate.CertificateExtensions.Add($SKIExtension)

# Add Key Usage
$KeyUsageFlags = [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::DigitalSignature -bor [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]::KeyEncipherment
$KeyUsage = [System.Security.Cryptography.X509Certificates.X509KeyUsageExtension]::new($KeyUsageFlags,$true)
$KUExtension = [System.Security.Cryptography.X509Certificates.X509Extension]::new($KeyUsage,$true)
$Certificate.CertificateExtensions.Add($KUExtension)

# Add EKU
$ServerAuthentication = [System.Security.Cryptography.Oid]::New("Server Authentication")
$EKUOidCollection = [System.Security.Cryptography.OidCollection]::new()
$EKUOidCollection.Add($ServerAuthentication) | out-null # this outputs 0
$EnhancedKeyUsage = [System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]::new($EKUOidCollection,$false)
$EKUExtension = [System.Security.Cryptography.X509Certificates.X509Extension]::new($EnhancedKeyUsage,$false)
$Certificate.CertificateExtensions.Add($EKUExtension)

# Add SAN
$SubjectAlternateNameBuilder = [System.Security.Cryptography.X509Certificates.SubjectAlternativeNameBuilder]::new()
$SubjectAlternateNameBuilder.AddDnsName("$($ComputerName).$($Domain)")
$Certificate.CertificateExtensions.Add($SubjectAlternateNameBuilder.Build())

0 个答案:

没有答案
相关问题
最新问题