Win2012 r2 上的 New-SelfSignedCertificate 参数较少
New-SelfSignedCertificate on Win2012 r2 has less parameters
我正在尝试创建具有特定加密参数值的自签名证书。
在 Win Server 2012 r2 标准 运行 PowerShell 5.0 上,当我尝试使用
New-SelfSignedCertificate
我收到一个错误:
New-SelfSignedCertificate : A parameter cannot be found that matches parameter name 'Subject'.
当我尝试使用 -Subject 参数时,除了我笔记本电脑上允许的其他参数外,该参数没有出现在智能感知中。
但是在我的笔记本电脑(Win 10 和 PowerShell 5.0)上,我可以使用这些参数,并且我使用以下代码创建了一个自签名证书
#create a Certificate
# OID for document encryption
$Oid = New-Object System.Security.Cryptography.Oid "1.3.6.1.4.1.311.80.1"
$oidCollection = New-Object System.Security.Cryptography.OidCollection
$oidCollection.Add($oid) > $Null
# Create enhanced key usage extension that allows document encryption
$Ext = New-Object System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension $oidCollection, $true
$myCert = New-SelfSignedCertificate -Subject 'CN=myservernameasubject' -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec KeyExchange -KeyUsage KeyEncipherment, DataEncipherment -Extension $Ext
使用 -DnsName 而不使用 CN=。
来自 PowerShell 帮助:
-DnsName <String>
Specifies one or more DNS names to put into the Subject Alternative Name extension of the certificate when a certificate to be
copied is not specified via the CloneCert parameter. The first DNS
name is also saved as Subject Name and Issuer Name.
不幸的是,New-SelfSignedCertificate in Windows Server 2012 R2 and Windows 8.1. Otherwise, you're looking at one of three options to generate the desired certificate; Adapt the COM object based code in the answer to How to create a self-signed certificate using C#? 不支持 -KeySpec 和其他相关选项在 PowerShell 中使用,使用外部可执行文件如 makecert.exe,或在其他地方生成 certificate/key 对然后将其导入另一台机器上的证书库。
更新: 经过进一步研究,在 PowerShell 中调整基于 COM 的代码似乎是一个不错的选择。我找到了 Vishal Agarwal Generating a certificate (self-signed) using powershell and CertEnroll interfaces 的博客条目,其中提供了以下 PowerShell 代码:
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=TestServer", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(90)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
以下对于自签名选项工作得很好...
New-SelfSignedCertificate -DnsName "*.costoso100.com" -CertStoreLocation "cert:\LocalMachine\My"
我能够在大约 15 分钟内导出和设置 LDAPS。
我正在尝试创建具有特定加密参数值的自签名证书。
在 Win Server 2012 r2 标准 运行 PowerShell 5.0 上,当我尝试使用
New-SelfSignedCertificate
我收到一个错误:
New-SelfSignedCertificate : A parameter cannot be found that matches parameter name 'Subject'.
当我尝试使用 -Subject 参数时,除了我笔记本电脑上允许的其他参数外,该参数没有出现在智能感知中。
但是在我的笔记本电脑(Win 10 和 PowerShell 5.0)上,我可以使用这些参数,并且我使用以下代码创建了一个自签名证书
#create a Certificate
# OID for document encryption
$Oid = New-Object System.Security.Cryptography.Oid "1.3.6.1.4.1.311.80.1"
$oidCollection = New-Object System.Security.Cryptography.OidCollection
$oidCollection.Add($oid) > $Null
# Create enhanced key usage extension that allows document encryption
$Ext = New-Object System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension $oidCollection, $true
$myCert = New-SelfSignedCertificate -Subject 'CN=myservernameasubject' -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec KeyExchange -KeyUsage KeyEncipherment, DataEncipherment -Extension $Ext
使用 -DnsName 而不使用 CN=。
来自 PowerShell 帮助:
-DnsName <String>Specifies one or more DNS names to put into the Subject Alternative Name extension of the certificate when a certificate to be copied is not specified via the CloneCert parameter. The first DNS name is also saved as Subject Name and Issuer Name.
不幸的是,New-SelfSignedCertificate in Windows Server 2012 R2 and Windows 8.1. Otherwise, you're looking at one of three options to generate the desired certificate; Adapt the COM object based code in the answer to How to create a self-signed certificate using C#? 不支持 -KeySpec 和其他相关选项在 PowerShell 中使用,使用外部可执行文件如 makecert.exe,或在其他地方生成 certificate/key 对然后将其导入另一台机器上的证书库。
更新: 经过进一步研究,在 PowerShell 中调整基于 COM 的代码似乎是一个不错的选择。我找到了 Vishal Agarwal Generating a certificate (self-signed) using powershell and CertEnroll interfaces 的博客条目,其中提供了以下 PowerShell 代码:
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=TestServer", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(90)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
以下对于自签名选项工作得很好...
New-SelfSignedCertificate -DnsName "*.costoso100.com" -CertStoreLocation "cert:\LocalMachine\My"
我能够在大约 15 分钟内导出和设置 LDAPS。