Windows .pfx文件中的证书存在EKU问题 [英] Certificate in windows .pfx file has EKU issue

问题描述

我已经在phonegap中开发了一个应用程序，现在我想将其发布给Windows Phone。但是，我们知道自Windows 10引入以来，我们必须制作一个 .pfx 文件来对应用程序进行签名。

I have developed an application in phonegap and now I want to release it for windows phones. But as we know that since Windows 10 was introduced we have to make a .pfx file to sign an application.

我已经创建了一个证书使用OpenSSL并尝试使用该密钥构建应用程序时出现此错误：

I have created a certificate with OpenSSL and as I try to build my application with that key I am getting this error:

错误-您的Windows签名密钥必须具有EKU（增强键用法）代码签名的
属性

Error - Your Windows Signing Key must have an EKU (Enhanced Key Usage) property of "Code Signing"

我不知道这到底是什么意思。有人可以帮我吗？

I don't know what does exactly mean. Can anyone please help me out for this?

推荐答案

EKU（增强密钥用法）是证书扩展，它确定证书的用途用于。对于其他应用程序的签名，Windows希望该证书包含代码签名EKU扩展。

EKU (Enhanced Key Usage) is certificate Extensions which determine what the certificate is intended to be used for. For signing other applications, Windows expects the cert to contain Code Signing EKU extension.

我想您正在使用自签名证书。您可以使用以下命令来生成pfx文件，该文件将包含供您使用的证书。尽管我不确定是否可以使用自签名证书在Windows应用商店上推送应用程序

I suppose you are using a self signed certificate. You can use following commands to generate a pfx file which would contain a certificate for your use. Although I'm not sure if a self signed certificate can be used to push an application on windows app store

首先将以下内容保存在文件名 code_signing中。该文件是您的证书的配置文件。更改我的dn下的字段

First of all save following content in a file name "code_signing". This file is configuration file for your certificate. Change the fields under "my dn"

[ req ]
prompt             = no
distinguished_name = my dn

[ my dn ]
commonName = secure.example.com
countryName = XX
localityName = XXX
organizationName = Org Name
organizationalUnitName = BU Name
stateOrProvinceName = YY
emailAddress = mail@example.com
name = name
surname = surName
givenName = name

[code_signing]
extendedKeyUsage = 1.3.6.1.5.5.7.3.3

最后一行extendedKeyUsage = 1.3.6.1.5.5.7.3.3指定用于代码签名的EKU。
现在使用以下命令使用上面的配置文件生成私钥和证书

The last line extendedKeyUsage = 1.3.6.1.5.5.7.3.3 specifies the EKU for code Signing. Now use following to generate a private key and certificate using above config file

openssl req -x509 -config code_signing -extensions 'code_signing' -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt

现在使用生成的private.key和certificate.crt来生成您的pfx文件

Now use the generated private.key and certificate.crt to generate your pfx file

openssl pkcs12 -export -out codeSigning.pfx -inkey private.key -in certificate.crt

这篇关于Windows .pfx文件中的证书存在EKU问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！