[英]Using PowerShell to Create Self-Signed Certificate
I'm using code similar to that found here to create a self-signed certificate for use in IIS: http://blogs.technet.com/b/vishalagarwal/archive/2009/08/22/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces.aspx 我使用类似于此处的代码来创建在IIS中使用的自签名证书: http : //blogs.technet.com/b/vishalagarwal/archive/2009/08/22/generating-a-certificate-自签名-使用- PowerShell的和certenroll-interfaces.aspx
Works fine except I want to give it a friendly name to make locating it easier when I want to assign the certificate to a dynamically created site. 工作正常,但我想给它一个友好的名称,以便在我想将证书分配给动态创建的站点时更容易找到它。
Anyone know how to change the above to set the friendly name (I've tried what seemed obvious to no avail). 任何人都知道如何更改上面的设置友好名称(我尝试了似乎显而易见的无济于事)。
Got a better way to create a cert via PowerShell that does not prompt the user for information? 有更好的方法通过PowerShell创建一个不提示用户输入信息的证书吗?
Followup on the script I am using - based on the url above but turned into a cmdlet: 跟进我正在使用的脚本 - 基于上面的url但转换为cmdlet:
function Add-SelfSignedCertificate
{
[CmdletBinding()]
param
(
[Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
[Alias('cn')]
[string]$CommonName
)
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$CommonName", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(90)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
}
It might not help for your specific use, but there is a new Powershell CmdLet installed in Windows 8.1 and Server 2012 that is pretty quick and easy to use: 它可能对您的特定用途没有帮助,但在Windows 8.1和Server 2012中安装了一个新的Powershell CmdLet,它非常快速且易于使用:
New-SelfSignedCertificate [-CertStoreLocation <String> ] [-CloneCert <Certificate> ] [-DnsName <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
More details can be found here: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps 更多细节可以在这里找到: https : //docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view = win10-ps
In my usage, the friendly name of the cert has always been set as the first DnsName specified in the CmdLet. 在我的用法中,cert的友好名称始终被设置为CmdLet中指定的第一个DnsName。
Example that places the certificate in your Local Computer's Personal store: 将证书放在本地计算机的个人存储中的示例:
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName www.example.com
Note: Powershell has to be started with admin rights for this to work. 注意:必须以管理员权限启动Powershell才能使用此功能。
You can set the CertificateFriendlyName
directly in you code, you just need to know where to do it: 您可以直接在代码中设置CertificateFriendlyName
,您只需知道在哪里执行:
$enrollment.InitializeFromRequest($cert)
$enrollment.CertificateFriendlyName = 'whatever'
$certdata = $enrollment.CreateRequest(0)
$key
has a FriendlyName but I don't see that showing up anywhere so I don't think it helps you. $key
有一个FriendlyName,但我没有看到它出现在任何地方所以我认为它不会对你有所帮助。
Scott Hanselman wrote up a nice blog post on how to create a self-signed cert using the SDK tool makecert.exe. Scott Hanselman写了一篇关于如何使用SDK工具makecert.exe 创建自签名证书的好文章 。 That tool looks to be a good bit easer to use than the code in the post you reference. 该工具看起来比您引用的帖子中的代码更容易使用。 With makecert.exe you can use the -n option to specify a subject name. 使用makecert.exe,您可以使用-n选项指定主题名称。 I've used that subject name to refer to the certificate in other tools like signtool.exe. 我已经使用该主题名称来引用signtool.exe等其他工具中的证书。 Although, I've found that subject names don't have to be unique so I tend to use the Thumbprint value which appears to be unique. 虽然,我发现主题名称不一定是唯一的,所以我倾向于使用看似独特的Thumbprint值。 Signtool will also accept a thumbprint (via the /sha1 parameter) to identify the cert. Signtool还将接受指纹(通过/ sha1参数)来识别证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.