使用 PowerShell 在根目录中禁用证书
Disable a certificate in the Root using PowerShell
使用 Windows 服务器核心。
我想禁用存储根文件夹中的证书。我有我想要禁用的证书的指纹,根据下图,我可以通过 Windows UI 来完成。但我想通过 Powershell 来完成。
我找不到如何通过 PowerShell 禁用证书,你知道怎么做吗?
N.B。我对删除证书不感兴趣
如果你很好奇,这是这里讨论的问题的解决方案:
https://www.namecheap.com/support/knowledgebase/article.aspx/9774/2238/incomplete-certificate-chain-on-windows-servers
执行此操作的唯一方法是通过使用 p/invoke 互操作并传递 ASN 编码的空 X509 EKU 扩展值(两个字节,0x30 和 0x0) 以在 属性.
中明确禁用 EKU
代码如下所示:
# define unmanaged function interop signatures
$signature = @"
[DllImport("Crypt32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern bool CertSetCertificateContextProperty(
IntPtr pCertContext,
uint dwPropId,
uint dwFlags,
IntPtr pvData
);
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
public struct CRYPTOAPI_BLOB {
public uint cbData;
public IntPtr pbData;
}
"@
Add-Type -MemberDefinition $signature -Namespace PKI -Name Crypt32
# create empty X509 EKU extension value. Empty value literally disables all EKU
$bytes = New-Object byte[] -ArgumentList 2
$bytes[0] = 48
$bytes[1] = 0
# do unmanaged stuff
$pbData = [Runtime.InteropServices.Marshal]::AllocHGlobal(2)
[Runtime.InteropServices.Marshal]::Copy($bytes, 0, $pbData, 2)
# fill pvData structure
$blob = New-Object PKI.Crypt32+CRYPTOAPI_BLOB -Property @{
cbData = 2;
pbData = $pbData;
}
# do more unmanaged stuff
$pvData = [Runtime.InteropServices.Marshal]::AllocHGlobal([Runtime.InteropServices.Marshal]::SizeOf([type][PKI.Crypt32+CRYPTOAPI_BLOB]))
# copy data value to unmanaged memory
[Runtime.InteropServices.Marshal]::StructureToPtr($blob, $pvData, $false)
# call CertSetCertificateContextProperty function
[PKI.Crypt32]::CertSetCertificateContextProperty($Cert.Handle,9,0,$pvData)
# release unmanaged memory to prevent memory leak
[Runtime.InteropServices.Marshal]::FreeHGlobal($pbData)
[Runtime.InteropServices.Marshal]::FreeHGlobal($pvData)
请注意,函数调用需要 $cert 变量中的有效 X509Certificate2 证书对象。
使用 Windows 服务器核心。
我想禁用存储根文件夹中的证书。我有我想要禁用的证书的指纹,根据下图,我可以通过 Windows UI 来完成。但我想通过 Powershell 来完成。
我找不到如何通过 PowerShell 禁用证书,你知道怎么做吗?
N.B。我对删除证书不感兴趣
如果你很好奇,这是这里讨论的问题的解决方案: https://www.namecheap.com/support/knowledgebase/article.aspx/9774/2238/incomplete-certificate-chain-on-windows-servers
执行此操作的唯一方法是通过使用 p/invoke 互操作并传递 ASN 编码的空 X509 EKU 扩展值(两个字节,0x30 和 0x0) 以在 属性.
代码如下所示:
# define unmanaged function interop signatures
$signature = @"
[DllImport("Crypt32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern bool CertSetCertificateContextProperty(
IntPtr pCertContext,
uint dwPropId,
uint dwFlags,
IntPtr pvData
);
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
public struct CRYPTOAPI_BLOB {
public uint cbData;
public IntPtr pbData;
}
"@
Add-Type -MemberDefinition $signature -Namespace PKI -Name Crypt32
# create empty X509 EKU extension value. Empty value literally disables all EKU
$bytes = New-Object byte[] -ArgumentList 2
$bytes[0] = 48
$bytes[1] = 0
# do unmanaged stuff
$pbData = [Runtime.InteropServices.Marshal]::AllocHGlobal(2)
[Runtime.InteropServices.Marshal]::Copy($bytes, 0, $pbData, 2)
# fill pvData structure
$blob = New-Object PKI.Crypt32+CRYPTOAPI_BLOB -Property @{
cbData = 2;
pbData = $pbData;
}
# do more unmanaged stuff
$pvData = [Runtime.InteropServices.Marshal]::AllocHGlobal([Runtime.InteropServices.Marshal]::SizeOf([type][PKI.Crypt32+CRYPTOAPI_BLOB]))
# copy data value to unmanaged memory
[Runtime.InteropServices.Marshal]::StructureToPtr($blob, $pvData, $false)
# call CertSetCertificateContextProperty function
[PKI.Crypt32]::CertSetCertificateContextProperty($Cert.Handle,9,0,$pvData)
# release unmanaged memory to prevent memory leak
[Runtime.InteropServices.Marshal]::FreeHGlobal($pbData)
[Runtime.InteropServices.Marshal]::FreeHGlobal($pvData)
请注意,函数调用需要 $cert 变量中的有效 X509Certificate2 证书对象。