[英]Using PowerShell to Create Self-Signed Certificate of 2048 bits length
[英]Using PowerShell to Create Self-Signed Certificate
我使用類似於此處的代碼來創建在IIS中使用的自簽名證書: http : //blogs.technet.com/b/vishalagarwal/archive/2009/08/22/generating-a-certificate-自簽名-使用- PowerShell的和certenroll-interfaces.aspx
工作正常,但我想給它一個友好的名稱,以便在我想將證書分配給動態創建的站點時更容易找到它。
任何人都知道如何更改上面的設置友好名稱(我嘗試了似乎顯而易見的無濟於事)。
有更好的方法通過PowerShell創建一個不提示用戶輸入信息的證書嗎?
跟進我正在使用的腳本 - 基於上面的url但轉換為cmdlet:
function Add-SelfSignedCertificate
{
[CmdletBinding()]
param
(
[Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
[Alias('cn')]
[string]$CommonName
)
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$CommonName", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(90)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
}
它可能對您的特定用途沒有幫助,但在Windows 8.1和Server 2012中安裝了一個新的Powershell CmdLet,它非常快速且易於使用:
New-SelfSignedCertificate [-CertStoreLocation <String> ] [-CloneCert <Certificate> ] [-DnsName <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
更多細節可以在這里找到: https : //docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view = win10-ps
在我的用法中,cert的友好名稱始終被設置為CmdLet中指定的第一個DnsName。
將證書放在本地計算機的個人存儲中的示例:
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName www.example.com
注意:必須以管理員權限啟動Powershell才能使用此功能。
您可以直接在代碼中設置CertificateFriendlyName
,您只需知道在哪里執行:
$enrollment.InitializeFromRequest($cert)
$enrollment.CertificateFriendlyName = 'whatever'
$certdata = $enrollment.CreateRequest(0)
$key
有一個FriendlyName,但我沒有看到它出現在任何地方所以我認為它不會對你有所幫助。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.