Sam*_*lib 8 powershell certificate self-signed powershell-5.0
我正在尝试使用特定的加密参数值创建自签名证书.
在运行PowerShell 5.0的Win Server 2012 r2标准上,当我尝试使用时
New-SelfSignedCertificate
我收到一个错误:
New-SelfSignedCertificate:找不到与参数名称"Subject"匹配的参数.
当我尝试使用该-Subject参数时,除了我的笔记本电脑上允许的其他参数之外,该参数不会出现在intellisense中.
但是在我的笔记本电脑上(Win 10和PowerShell 5.0),我可以使用这些参数,并使用以下代码创建自签名证书
#create a Certificate
# OID for document encryption
$Oid = New-Object System.Security.Cryptography.Oid "1.3.6.1.4.1.311.80.1"
$oidCollection = New-Object System.Security.Cryptography.OidCollection
$oidCollection.Add($oid) > $Null
# Create enhanced key usage extension that allows document encryption
$Ext = New-Object System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension $oidCollection, $true
$myCert = New-SelfSignedCertificate -Subject 'CN=myservernameasubject' -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec KeyExchange -KeyUsage KeyEncipherment, DataEncipherment -Extension $Ext
Jam*_*See 13
使用-DnsName而不使用CN=.
从PowerShell帮助:
-DnsName <String>当未通过CloneCert参数指定要复制的证书时,指定要放入证书的使用者备用名称扩展名的一个或多个DNS名称.第一个DNS名称也保存为主题名称和颁发者名称.
遗憾的是,Windows Server 2012 R2和Windows 8.1中的New-SelfSignedCertificate不支持-KeySpec和其他相关选项.否则,您正在查看生成所需证书的三个选项之一; 在如何使用C#创建自签名证书的答案中调整基于COM对象的代码?要在PowerShell中使用,请使用外部可执行文件(如makecert.exe),或在其他位置生成证书/密钥对,然后将其导入另一台计算机上的证书存储区.
更新:经过进一步研究,看起来在PowerShell中调整基于COM的代码是一个不错的选择.我找到了Vishal Agarwal的博客文章,使用powershell和CertEnroll接口生成证书(自签名),它提供了以下PowerShell代码:
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=TestServer", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(90)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
| 归档时间: |
|
| 查看次数: |
14913 次 |
| 最近记录: |