[英]Generate Self-signed certificate with Root CA Signer
Scenario: I am using PowerShell on Windows Server 2012r2 to generate a Root certificate and want to use that to sign a newly created Intermediate and Web certificate in dynamic generated (and destroyed) dev/test environments. 场景:我在Windows Server 2012r2上使用PowerShell生成Root证书,并希望使用它来在动态生成(和销毁)的开发/测试环境中签署新创建的中级和Web证书。 The scripts are deployed remotely, and the intent is to keep it pure PowerShell if possible.
脚本是远程部署的,目的是尽可能保持纯PowerShell。 In Windows 10/2016 this is relatively easy, after generating the Root certificate:
在Windows 10/2016中,生成根证书后相对容易:
$Cert = New-SelfSignedCertificate -Signer $Root -Subject "CN=$Subject"
I've generated the Root certificate using COM X509Enrollment.CX509CertificateRequestCertificate
and Security.Cryptography.X509Certificates.X509Certificate2
in a bastardized PS that I've had for some time, mainly because I needed to ensure that the Subject and Usage were set very specifically. 我使用COM
X509Enrollment.CX509CertificateRequestCertificate
和Security.Cryptography.X509Certificates.X509Certificate2
在我已经有一段时间的X509Enrollment.CX509CertificateRequestCertificate
PS中生成了Root证书,主要是因为我需要确保主题和用法设置非常具体。 I am not quite certain how to use this to sign the standard certificate without the above (which I have used before). 我不太确定如何使用它来签署没有上述标准的证书(我之前使用过)。
There are some examples using Bouncy Castle (see below) in C# that I could tie into PowerShell, but then I would need to deploy this additionally on the dynamic dev/test environments and I want to be able to do this in Powershell (via COM if needed) with the least dependencies. 在C#中有一些使用Bouncy Castle(见下文)的例子我可以绑定到PowerShell,但是我需要在动态开发/测试环境中另外部署它,我希望能够在Powershell中执行此操作(通过COM)如果需要)具有最少的依赖性。
The ultimate solution in my case, avoiding makecert and openssl was to use Powershell and BouncyCastle. 在我的案例中,避免使用makecert和openssl的最终解决方案是使用Powershell和BouncyCastle。 I forked the PSBouncyCastle repo from PSBouncyCastle by RLipscombe and pushed 1.8.1 Bouncy Castle in. My forked version is the one I've used for the script, the fork resides at Forked: PSBouncyCastle.New .
我从RLipscombe分离了PSBouncyCastle的PSBouncyCastle回购并推送了1.8.1 Bouncy Castle。我的分叉版本是我用于脚本的版本,fork位于Forked:PSBouncyCastle.New 。
I then used StackOverflow: C# Generate Certificates on the Fly as inspiration to write the following powershell below, I will be adding this to my GitHub and commenting, and I will amend this as soon as I do : 然后我使用了StackOverflow:C#Generate Certificates in the Fly作为灵感来编写下面的powershell, 我将把它添加到我的GitHub并进行评论,我会尽快修改它 :
Import-Module -Name PSBouncyCastle.New
function New-SelfSignedCertificate {
[CmdletBinding()]
param (
[string]$SubjectName,
[string]$FriendlyName = "New Certificate",
[object]$Issuer,
[bool]$IsCA = $false,
[int]$KeyStrength = 2048,
[int]$ValidYears = 2,
[hashtable]$EKU = @{}
)
# Needed generators
$random = New-SecureRandom
$certificateGenerator = New-CertificateGenerator
if($Issuer -ne $null -and $Issuer.HasPrivateKey -eq $true)
{
$IssuerName = $Issuer.IssuerName.Name
$IssuerPrivateKey = $Issuer.PrivateKey
}
# Create and set a random certificate serial number
$serial = New-SerialNumber -Random $random
$certificateGenerator.SetSerialNumber($serial)
# The signature algorithm
$certificateGenerator.SetSignatureAlgorithm('SHA256WithRSA')
# Basic Constraints - certificate is allowed to be used as intermediate.
# Powershell requires either a $null or reassignment or it will return this from the function
$certificateGenerator = Add-BasicConstraints -isCertificateAuthority $IsCA -certificateGenerator $certificateGenerator
# Key Usage
if($EKU.Count -gt 0)
{
$certificateGenerator = $certificateGenerator | Add-ExtendedKeyUsage @EKU
}
# Create and set the Issuer and Subject name
$subjectDN = New-X509Name -Name ($SubjectName)
if($Issuer -ne $null) {
$IssuerDN = New-X509Name -Name ($IssuerName)
}
else
{
$IssuerDN = New-X509Name -Name ($SubjectName)
}
$certificateGenerator.SetSubjectDN($subjectDN)
$certificateGenerator.SetIssuerDN($IssuerDN)
# Authority Key and Subject Identifier
if($Issuer -ne $null)
{
$IssuerKeyPair = ConvertTo-BouncyCastleKeyPair -PrivateKey $IssuerPrivateKey
$IssuerSerial = [Org.BouncyCastle.Math.BigInteger]$Issuer.GetSerialNumber()
$authorityKeyIdentifier = New-AuthorityKeyIdentifier -name $Issuer.IssuerName.Name -publicKey $IssuerKeyPair.Public -serialNumber $IssuerSerial
$certificateGenerator = Add-AuthorityKeyIdentifier -certificateGenerator $certificateGenerator -authorityKeyIdentifier $authorityKeyIdentifier
}
# Validity range of the certificate
[DateTime]$notBefore = (Get-Date).AddDays(-1)
if($ValidYears -gt 0) {
[DateTime]$notAfter = $notBefore.AddYears($ValidYears)
}
$certificateGenerator.SetNotBefore($notBefore)
$certificateGenerator.SetNotAfter($notAfter)
# Subject public key ~and private
$subjectKeyPair = New-KeyPair -Strength $keyStrength -Random $random
if($IssuerPrivateKey -ne $null)
{
$IssuerKeyPair = [Org.BouncyCastle.Security.DotNetUtilities]::GetKeyPair($IssuerPrivateKey)
}
else
{
$IssuerKeyPair = $subjectKeyPair
}
$certificateGenerator.SetPublicKey($subjectKeyPair.Public)
# Create the Certificate
$IssuerKeyPair = $subjectKeyPair
$certificate = $certificateGenerator.Generate($IssuerKeyPair.Private, $random)
# At this point you have the certificate and need to convert it and export, I return the private key for signing the next cert
$pfxCertificate = ConvertFrom-BouncyCastleCertificate -certificate $certificate -subjectKeyPair $subjectKeyPair -friendlyName $FriendlyName
return $pfxCertificate
}
A few examples of usage for this powershell would be: 这个powershell的一些使用示例是:
Generate a Root CA 生成根CA.
$TestRootCA = New-SelfSignedCertificate -subjectName "CN=TestRootCA" -IsCA $true
Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx
Generate a Standard Self Signed 生成标准自签名
$TestSS = New-SelfSignedCertificate -subjectName "CN=TestLocal"
Export-Certificate -Certificate $TestSS -OutputFile "TestLocal.pfx" -X509ContentType Pfx
Generate a certificate, signing with a root certificate 生成证书,使用根证书签名
$TestRootCA = New-SelfSignedCertificate -subjectName "CN=TestRootCA" -IsCA $true
$TestSigned = New-SelfSignedCertificate -subjectName "CN=TestSignedByRoot" -issuer $TestRootCA
Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx
Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx
Generate a Self-Signed with Specific Usage 生成具有特定用途的自签名
$TestServerCert = New-SelfSignedCertificate -subjectName "CN=TestServerCert" -EKU @{ "ServerAuthentication" = $true }
Note that the -EKU parameter accepts via splatting, it does this to ensure that anything added to Add-ExtendedKeyUsage is validly passed. 请注意,-EKU参数通过splatting接受,它执行此操作以确保有效传递添加到Add-ExtendedKeyUsage的任何内容。 It accepts the following certificate usages:
它接受以下证书用法:
This fits my need and seems to work across all Windows Platforms we are using for dynamic environments. 这符合我的需要,似乎适用于我们用于动态环境的所有Windows平台。
"Itiverba Self-Signed certificate generator" ( http://www.itiverba.com/en/software/itisscg.php ) is a free GUI tool for Windows that allows you to create your own CA certificates and sign end-certificates with it. “Itiverba自签名证书生成器”( http://www.itiverba.com/en/software/itisscg.php )是一个免费的Windows GUI工具,允许您创建自己的CA证书并使用它签署最终证书。 You can export the certificates in PEM, CER, DER, PFX file formats.
您可以导出PEM,CER,DER,PFX文件格式的证书。
It's just 3 lines to encode : 编码只需3行:
Subject: CN="Testcorp - Private CA" 主题:CN =“Testcorp - 私人CA”
Basic Constraints: V (checked) 基本约束:V(已选中)
Basic Constraints / Subject Type: CA 基本约束/主题类型:CA
Give a file name and select a file format, then click on the "create certificate" button. 提供文件名并选择文件格式,然后单击“创建证书”按钮。 Your Custom CA certificate is done.
您的自定义CA证书已完成。
How about simply doing this: 如何简单地这样做:
$cert = New-SelfSignedCertificate -FriendlyName "MyCA"
-KeyExportPolicy ExportableEncrypted
-Provider "Microsoft Strong Cryptographic Provider"
-Subject "SN=TestRootCA" -NotAfter (Get-Date).AddYears($ExpiryInYears)
-CertStoreLocation Cert:\LocalMachine\My -KeyUsageProperty All
-KeyUsage CertSign, CRLSign, DigitalSignature
Important parameters are -KeyUsageProperty
and -KeyUsage
. 重要参数是
-KeyUsageProperty
和-KeyUsage
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.