我在服务器中使用powershell创建了一个自签名证书。
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"
我继续 mmc :
File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer
我展开“个人”文件夹,您会看到我的本地主机证书
我将其复制并粘贴到Trusted Root Certification Authorities - Certificates
之后,我将应用程序绑定到IIS上:
但是我仍然有错误:
如何解决我的问题?或者,也许还有其他免费的解决方案。
答案 0 :(得分:0)
您应该将证书复制到个人和受信任的根颁发机构。要使用Powershell为IIS设置自签名,以下功能应该可以为您提供帮助。
以管理员身份运行脚本-如果您使用的是Windows 10,则必须安装模块WebAdministration。
#Install-Module -Name 'WebAdministration'
Import-Module -Name WebAdministration
function AddSelfSignedCertificateToSSL([String]$dnsname, [String]$siteName='Default Web Site'){
$newCert = New-SelfSignedCertificate -DnsName $dnsname -CertStoreLocation Cert:\LocalMachine\My
$binding = Get-WebBinding -Name $siteName -Protocol "https"
$binding.AddSslCertificate($newCert.GetCertHashString(), "My")
$newCertThumbprint = $newCert.Thumbprint
$sourceCertificate = $('cert:\localmachine\my\' + $newCertThumbprint)
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "Root", LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($newCert)
return $newCertThumbprint
}
Write-Host Installing self-signed certificate Cert:\LocalMachine\My and Cert:\LocalMachine\Root ..
$certinstalledThumbprint = AddSelfSignedCertificateToSSL 'someacmeapp.somedomain.net'
Write-Host Added certificate $certinstalledThumbprint to Cert:\LocalMachine\My and Cert:\LocalMachine\Root and set this up as the SSL certificate on Default Web Site.
请注意,诸如Chrome之类的现代浏览器会抱怨自签名算法中使用的算法较弱,并且事实是,没有第三方证书颁发机构(例如GoDaddy等)可以确认有效性证书,因为它是自签名的并且具有弱算法。
答案 1 :(得分:0)
PowerShell中的以下命令(以管理员身份运行)可以解决问题:
1.- We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
2.- We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256"
3.- We copy the thumbprint returned by the last command
4.- (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:3002
5.- We associate the new certificate with any ip and your port, 3002 in your case (the appid value is any valid guid):
netsh http add sslcert ipport=0.0.0.0:3002 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint
6.- Now, you must drag and drop the TestRootCA from Personal/Certificates folder to Trusted Root Certification Authorities/Certificates.
这些命令还解决了Google Chrome稍后返回的错误 ERR_CERT_WEAK_SIGNATURE_ALGORITHM ,因为证书是使用SHA256而不是SHA1创建的。