[英]Powershell creating new self signed certificate. Root CA Certificate: extendedKeyUsage MUST NOT be present.t
I am currently making a RootCA and a SAN cert using powershell. 我目前正在使用Powershell制作RootCA和SAN证书。 Now everything is working as it should only it seems soms browsers are pretty strict when it comes to trusting a certificate. 现在,一切都在正常进行,因为似乎所有浏览器在信任证书时都非常严格。 I am currently getting one last error when running my certificate through a linter (Z-lint in this case). 我目前正在通过短绒棉衣(在这种情况下为Z-lint)运行证书时遇到最后一个错误。
zlint ERROR Root CA Certificate: extendedKeyUsage MUST NOT be present.t zlint错误根CA证书:绝对不能出现ExtendedKeyUsage.t
Now the error is pretty obvious... extendedKeyUsage should not be present in my powershell command when creating my RootCA 现在错误非常明显...在创建我的RootCA时,我的powershell命令中不应该存在ExtendedKeyUsage
However I only use -keyUsage in my command. 但是,我仅在命令中使用-keyUsage。 I am not quite sure what I need to adjust to my command to remove the error. 我不太确定我需要对命令进行什么调整才能消除错误。
$rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\\LocalMachine\\My -keyUsage KeyEncipherment,DigitalSignature,CrlSign,CertSign -Subject "CN=AgionRootCA, OU=supplied, O=supplied, C=supplied, L=supplied, S=supplied" -TextExtension @("1.3.6.1.4.1.311.21.10={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2", "2.5.29.19={text}CA=true","2.5.29.37={text}1.3.6.1.4.1.311.10.12.1")
After following -> 之后->
When looking at the Microsoft Docs for the New-SelfSignedCertificate cmdlet it says the following about the -KeyUsage switch: 当查看Microsoft Docs的New-SelfSignedCertificate cmdlet时,它会显示有关-KeyUsage开关的以下内容:
Specifies the key usages set in the key usage extension of the certificate. 指定在证书的密钥用法扩展中设置的密钥用法。 The acceptable values for this parameter are: 此参数的可接受值为:
- CertSign 证书签名
- CRLSign CRL签名
- DataEncipherment 数据加密
- DecipherOnly 仅解密
- DigitalSignature 电子签名
- EncipherOnly 仅加密
- KeyAgreement 关键协议
- KeyEncipherment 密钥加密
- None (default) 无(默认)
- NonRepudiation 不可否认
The default value, None, indicates that this cmdlet does not include the KeyUsage extension in the new certificate. 默认值“无”表示此cmdlet在新证书中不包括KeyUsage扩展名。 So it would seem like that if you want extendedKeyUsage to NOT be present you need to change -keyUsage KeyEncipherment,DigitalSignature,CrlSign,CertSign to -keyUsage None which would be default if you don't include the switch at all. 因此,如果您不希望extendedKeyUsage出现,则需要将-keyUsage KeyEncipherment,DigitalSignature,CrlSign,CertSign更改为-keyUsage None,这是默认设置,如果您根本不包括该开关。
The error messages increased stating that I do need regular -KeyUsage, but not -extendedKeyUsage 错误消息增加,表明我确实需要常规的-KeyUsage,但不需要-extendedKeyUsage
Error messages: 错误讯息:
zlint ERROR Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set zlint ERROR Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set. zlint ERROR根和从属CA证书密钥必须设置使用扩展名的crlSign位zlint ERROR根CA证书:必须设置keyCertSign和cRLSign的位位置。
zlint ERROR Root CA Certificate: extendedKeyUsage MUST NOT be present.t zlint错误根CA证书:绝对不能出现ExtendedKeyUsage.t
Well I managed to solve the problem. 好吧,我设法解决了这个问题。 In my Powershell command I had added the OID 2.5.29.37 at the end and apparently OID 2.5.29.37 is ExtendedKeyUsage. 在我的Powershell命令中,我在末尾添加了OID 2.5.29.37,显然OID 2.5.29.37是ExtendedKeyUsage。 Therefore I kept on getting that problem. 因此,我不断遇到这个问题。 Closed! 关闭!
More information on this matter Self signed certificates 有关此问题的更多信息自签名证书
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.