[英]Generate A Self Signed Certificate Signed By An Root Certificate in Powershell
[英]Generate Self-signed certificate with Root CA Signer
場景:我在Windows Server 2012r2上使用PowerShell生成Root證書,並希望使用它來在動態生成(和銷毀)的開發/測試環境中簽署新創建的中級和Web證書。 腳本是遠程部署的,目的是盡可能保持純PowerShell。 在Windows 10/2016中,生成根證書后相對容易:
$Cert = New-SelfSignedCertificate -Signer $Root -Subject "CN=$Subject"
我使用COM X509Enrollment.CX509CertificateRequestCertificate
和Security.Cryptography.X509Certificates.X509Certificate2
在我已經有一段時間的X509Enrollment.CX509CertificateRequestCertificate
PS中生成了Root證書,主要是因為我需要確保主題和用法設置非常具體。 我不太確定如何使用它來簽署沒有上述標准的證書(我之前使用過)。
在C#中有一些使用Bouncy Castle(見下文)的例子我可以綁定到PowerShell,但是我需要在動態開發/測試環境中另外部署它,我希望能夠在Powershell中執行此操作(通過COM)如果需要)具有最少的依賴性。
在我的案例中,避免使用makecert和openssl的最終解決方案是使用Powershell和BouncyCastle。 我從RLipscombe分離了PSBouncyCastle的PSBouncyCastle回購並推送了1.8.1 Bouncy Castle。我的分叉版本是我用於腳本的版本,fork位於Forked:PSBouncyCastle.New 。
然后我使用了StackOverflow:C#Generate Certificates in the Fly作為靈感來編寫下面的powershell, 我將把它添加到我的GitHub並進行評論,我會盡快修改它 :
Import-Module -Name PSBouncyCastle.New
function New-SelfSignedCertificate {
[CmdletBinding()]
param (
[string]$SubjectName,
[string]$FriendlyName = "New Certificate",
[object]$Issuer,
[bool]$IsCA = $false,
[int]$KeyStrength = 2048,
[int]$ValidYears = 2,
[hashtable]$EKU = @{}
)
# Needed generators
$random = New-SecureRandom
$certificateGenerator = New-CertificateGenerator
if($Issuer -ne $null -and $Issuer.HasPrivateKey -eq $true)
{
$IssuerName = $Issuer.IssuerName.Name
$IssuerPrivateKey = $Issuer.PrivateKey
}
# Create and set a random certificate serial number
$serial = New-SerialNumber -Random $random
$certificateGenerator.SetSerialNumber($serial)
# The signature algorithm
$certificateGenerator.SetSignatureAlgorithm('SHA256WithRSA')
# Basic Constraints - certificate is allowed to be used as intermediate.
# Powershell requires either a $null or reassignment or it will return this from the function
$certificateGenerator = Add-BasicConstraints -isCertificateAuthority $IsCA -certificateGenerator $certificateGenerator
# Key Usage
if($EKU.Count -gt 0)
{
$certificateGenerator = $certificateGenerator | Add-ExtendedKeyUsage @EKU
}
# Create and set the Issuer and Subject name
$subjectDN = New-X509Name -Name ($SubjectName)
if($Issuer -ne $null) {
$IssuerDN = New-X509Name -Name ($IssuerName)
}
else
{
$IssuerDN = New-X509Name -Name ($SubjectName)
}
$certificateGenerator.SetSubjectDN($subjectDN)
$certificateGenerator.SetIssuerDN($IssuerDN)
# Authority Key and Subject Identifier
if($Issuer -ne $null)
{
$IssuerKeyPair = ConvertTo-BouncyCastleKeyPair -PrivateKey $IssuerPrivateKey
$IssuerSerial = [Org.BouncyCastle.Math.BigInteger]$Issuer.GetSerialNumber()
$authorityKeyIdentifier = New-AuthorityKeyIdentifier -name $Issuer.IssuerName.Name -publicKey $IssuerKeyPair.Public -serialNumber $IssuerSerial
$certificateGenerator = Add-AuthorityKeyIdentifier -certificateGenerator $certificateGenerator -authorityKeyIdentifier $authorityKeyIdentifier
}
# Validity range of the certificate
[DateTime]$notBefore = (Get-Date).AddDays(-1)
if($ValidYears -gt 0) {
[DateTime]$notAfter = $notBefore.AddYears($ValidYears)
}
$certificateGenerator.SetNotBefore($notBefore)
$certificateGenerator.SetNotAfter($notAfter)
# Subject public key ~and private
$subjectKeyPair = New-KeyPair -Strength $keyStrength -Random $random
if($IssuerPrivateKey -ne $null)
{
$IssuerKeyPair = [Org.BouncyCastle.Security.DotNetUtilities]::GetKeyPair($IssuerPrivateKey)
}
else
{
$IssuerKeyPair = $subjectKeyPair
}
$certificateGenerator.SetPublicKey($subjectKeyPair.Public)
# Create the Certificate
$IssuerKeyPair = $subjectKeyPair
$certificate = $certificateGenerator.Generate($IssuerKeyPair.Private, $random)
# At this point you have the certificate and need to convert it and export, I return the private key for signing the next cert
$pfxCertificate = ConvertFrom-BouncyCastleCertificate -certificate $certificate -subjectKeyPair $subjectKeyPair -friendlyName $FriendlyName
return $pfxCertificate
}
這個powershell的一些使用示例是:
生成根CA.
$TestRootCA = New-SelfSignedCertificate -subjectName "CN=TestRootCA" -IsCA $true
Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx
生成標准自簽名
$TestSS = New-SelfSignedCertificate -subjectName "CN=TestLocal"
Export-Certificate -Certificate $TestSS -OutputFile "TestLocal.pfx" -X509ContentType Pfx
生成證書,使用根證書簽名
$TestRootCA = New-SelfSignedCertificate -subjectName "CN=TestRootCA" -IsCA $true
$TestSigned = New-SelfSignedCertificate -subjectName "CN=TestSignedByRoot" -issuer $TestRootCA
Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx
Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx
生成具有特定用途的自簽名
$TestServerCert = New-SelfSignedCertificate -subjectName "CN=TestServerCert" -EKU @{ "ServerAuthentication" = $true }
請注意,-EKU參數通過splatting接受,它執行此操作以確保有效傳遞添加到Add-ExtendedKeyUsage的任何內容。 它接受以下證書用法:
這符合我的需要,似乎適用於我們用於動態環境的所有Windows平台。
“Itiverba自簽名證書生成器”( http://www.itiverba.com/en/software/itisscg.php )是一個免費的Windows GUI工具,允許您創建自己的CA證書並使用它簽署最終證書。 您可以導出PEM,CER,DER,PFX文件格式的證書。
編碼只需3行:
主題:CN =“Testcorp - 私人CA”
基本約束:V(已選中)
基本約束/主題類型:CA
提供文件名並選擇文件格式,然后單擊“創建證書”按鈕。 您的自定義CA證書已完成。
如何簡單地這樣做:
$cert = New-SelfSignedCertificate -FriendlyName "MyCA"
-KeyExportPolicy ExportableEncrypted
-Provider "Microsoft Strong Cryptographic Provider"
-Subject "SN=TestRootCA" -NotAfter (Get-Date).AddYears($ExpiryInYears)
-CertStoreLocation Cert:\LocalMachine\My -KeyUsageProperty All
-KeyUsage CertSign, CRLSign, DigitalSignature
重要參數是-KeyUsageProperty
和-KeyUsage
。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.