Powershell创建新的自签名证书。 根CA证书:绝对不能存在extendedKeyUsage。
[英]Powershell creating new self signed certificate. Root CA Certificate: extendedKeyUsage MUST NOT be present.t
问题描述
I am currently making a RootCA and a SAN cert using powershell. 
我目前正在使用Powershell制作RootCA和SAN证书。 Now everything is working as it should only it seems soms browsers are pretty strict when it comes to trusting a certificate. 现在,一切都在正常进行,因为似乎所有浏览器在信任证书时都非常严格。 I am currently getting one last error when running my certificate through a linter (Z-lint in this case). 我目前正在通过短绒棉衣(在这种情况下为Z-lint)运行证书时遇到最后一个错误。
zlint ERROR Root CA Certificate: extendedKeyUsage MUST NOT be present.t zlint错误根CA证书:绝对不能出现ExtendedKeyUsage.t
Now the error is pretty obvious... extendedKeyUsage should not be present in my powershell command when creating my RootCA 现在错误非常明显...在创建我的RootCA时,我的powershell命令中不应该存在ExtendedKeyUsage
However I only use -keyUsage in my command. 但是,我仅在命令中使用-keyUsage。 I am not quite sure what I need to adjust to my command to remove the error. 我不太确定我需要对命令进行什么调整才能消除错误。
$rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\\LocalMachine\\My -keyUsage KeyEncipherment,DigitalSignature,CrlSign,CertSign -Subject "CN=AgionRootCA, OU=supplied, O=supplied, C=supplied, L=supplied, S=supplied" -TextExtension @("1.3.6.1.4.1.311.21.10={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2", "2.5.29.19={text}CA=true","2.5.29.37={text}1.3.6.1.4.1.311.10.12.1")
After following -> 之后->
When looking at the Microsoft Docs for the New-SelfSignedCertificate cmdlet it says the following about the -KeyUsage switch:
Specifies the key usages set in the key usage extension of the certificate.
- CertSign
- CRLSign
- DataEncipherment
- DecipherOnly
- DigitalSignature
- EncipherOnly
- KeyAgreement
- KeyEncipherment
- None (default)
- NonRepudiation
The default value, None, indicates that this cmdlet does not include the KeyUsage extension in the new certificate.
The error messages increased stating that I do need regular -KeyUsage, but not -extendedKeyUsage 错误消息增加,表明我确实需要常规的-KeyUsage,但不需要-extendedKeyUsage
Error messages: 错误讯息:
zlint ERROR Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set zlint ERROR Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.
zlint ERROR Root CA Certificate: extendedKeyUsage MUST NOT be present.t
1 个解决方案
解决方案1
2 已采纳 2019-02-21 15:07:15
Well I managed to solve the problem. 好吧,我设法解决了这个问题。 In my Powershell command I had added the OID 2.5.29.37 at the end and apparently OID 2.5.29.37 is ExtendedKeyUsage. 在我的Powershell命令中,我在末尾添加了OID 2.5.29.37,显然OID 2.5.29.37是ExtendedKeyUsage。 Therefore I kept on getting that problem. 因此,我不断遇到这个问题。 Closed! 关闭!
More information on this matter Self signed certificates 有关此问题的更多信息自签名证书
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.