在没有外部工具的情况下，自动将带有服务器链的x509证书从Server 2008 R2导出到p7b文件? [英] Automate export x509 certificate w/chain from Server 2008 R2 to a p7b file WITHOUT external tools?

查看：223 发布时间：2020/7/19 19:43:44 powershell x509 pkcs#7 certutil

本文介绍了在没有外部工具的情况下，自动将带有服务器链的x509证书从Server 2008 R2导出到p7b文件?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我集中管理域控制器，但是站点管理员在本地管理自己的数字发送者.我可以通过向导轻松地将X509证书(不需要私钥)与整个链从Windows Server 2008 R2域控制器导出到p7b文件:

I manage the Domain Controllers centrally, but the site admins manage their own digital senders locally. I can easily export an X509 certificate (private key not needed) with the whole chain from a Windows Server 2008 R2 Domain Controller to a p7b file through the wizard:

~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~

... 5.将打开证书导出向导".单击下一步.

...5. The Certificate Export Wizard opens. Click Next.

在导出文件格式"对话框中，执行以下操作:

In the Export File Format dialog box, do the following:

a.选择加密消息语法标准– PKCS#7证书(.P7B)".

a. Select Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B).

b.如果可能，请选中在证书路径中包括所有证书.

b. Check Include all certificates in the certification path if possible.

c.单击下一步.

在要导出的文件"对话框中，单击浏览".

In the File to Export dialog box, click Browse.

在另存为"对话框中，执行以下操作:

In the Save As dialog box, do the following:

a.在文件名"框中，键入ciroots.p7b.

a. In the File Name box, type ciroots.p7b.

b.在保存类型"框中，选择"PKCS#7证书(* .p7b)".

b. In the Save as type box, select PKCS #7 Certificates (*.p7b).

c.点击保存.

在要导出的文件"对话框中，单击下一步".

In the File to Export dialog box, click Next.

在正在完成证书导出向导"页面上，单击完成".

On the Completing the Certificate Export Wizard page, click Finish.

~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~

效果很好.生成的文件可以很好地导入到数字发送器中进行身份验证.如果站点管理员尚未导入其他证书，则它使站点管理员可以访问链中的其他证书.它不需要包含私钥，因为没有私钥，它可以正常工作.

It works great. The resulting file imports just fine into a digital sender for authentication. It gives the site admins access to the other certs in the chain if they have not already imported them. It does not need to contain the private key, since it works fine without it.

麻烦的是，我需要为每个业务站点手动执行数十次此操作，因为每个业务站点都有自己的域控制器，每个域控制器都有自己的证书.必须有一种方法可以自动执行此证书导出(带有/.NET的PowerShell，certutil.exe等).也许有些东西使用System.Security.Cryptography.X509Certificate X509IncludeOption和WholeChain，但是我无法使其正常工作:

The trouble is, I would need to do this manually, literally dozens of times, once for each business site, since each has their own Domain Controllers, each with their own certificate. There must be a way I can automate this certificate export (PowerShell w/.NET, certutil.exe, etc.). Maybe something that uses System.Security.Cryptography.X509Certificates X509IncludeOption with WholeChain, but I can't get it to work:

$ Cert =(dir Cert:\ localmachine \ my)[0]

$Cert = (dir Cert:\localmachine\my)[0]

#带有.p7b文件扩展名的PKCS7证书导出.

# PKCS7 cert export with .p7b file extension.

$ CertCollection =新对象

$CertCollection = New-Object

System.Security.Cryptography.X509Certificates.X509Certificate2Collection

$ Cert | ％{[void] $ CertCollection.Add($ _)}

$Cert | %{[void]$CertCollection.Add($_)}

$ Exported_pkcs7 = $ CertCollection.Export('Pkcs7')

$Exported_pkcs7 = $CertCollection.Export('Pkcs7')

$ out_FileName = $ ENV:COMPUTERNAME +".p7b"

$out_FileName = $ENV:COMPUTERNAME + ".p7b"

$ My_Export_Path ='d:\ CertFiles \'+ $ out_FileName

$My_Export_Path = 'd:\CertFiles\' + $out_FileName

设置内容-路径$ My_Export_Path-值$ Exported_pkcs7-编码字节

Set-Content -path $My_Export_Path -Value $Exported_pkcs7 -encoding Byte

使用此代码，我仅获得证书，而不获得其链中的其余证书.我不需要整个脚本，只需要复制可以通过GUI手动完成的导出w/chain的部分.

With this code, I only get the certificate, not the rest of the certificates in its chain. I don't need the whole script, just the part that duplicates the export w/chain that I can already do manually through the GUI.

推荐答案

您需要构建证书链以获取链证书并将其添加到集合中:

You need to build the certificate chain to get chain certificates and add them to collection:

function Export-Certificate {
[CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)]
        [Security.Cryptography.X509Certificates.X509Certificate2]$Certificate,
        [Parameter(Mandatory = $true)]
        [IO.FileInfo]$OutputFile,
        [switch]$IncludeAllCerts
    )
    $certs = New-Object Security.Cryptography.X509Certificates.X509Certificate2Collection
    if ($IncludeAllCerts) {
        $chain = New-Object Security.Cryptography.X509Certificates.X509Chain
        $chain.ChainPolicy.RevocationMode = "NoCheck"
        [void]$chain.Build($Certificate)
        $chain.ChainElements | ForEach-Object {[void]$certs.Add($_.Certificate)}
        $chain.Reset()
    } else {
        [void]$certs.Add($Certificate)
    }
    Set-Content -Path $OutputFile.FullName -Value $certs.Export("pkcs7") -Encoding Byte
}

这篇关于在没有外部工具的情况下，自动将带有服务器链的x509证书从Server 2008 R2导出到p7b文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

在没有外部工具的情况下，自动将带有服务器链的x509证书从Server 2008 R2导出到p7b文件? [英] Automate export x509 certificate w/chain from Server 2008 R2 to a p7b file WITHOUT external tools?

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

在没有外部工具的情况下，自动将带有服务器链的x509证书从Server 2008 R2导出到p7b文件? [英] Automate export x509 certificate w/chain from Server 2008 R2 to a p7b file WITHOUT external tools?

问题描述

推荐答案

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭