使用 PowerShell 创建自签名证书 [英] Using PowerShell to Create Self-Signed Certificate
问题描述
我正在使用类似于此处找到的代码来创建用于 IIS 的自签名证书:http://blogs.technet.com/b/vishalagarwal/archive/2009/08/22/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces.aspx一个>
I'm using code similar to that found here to create a self-signed certificate for use in IIS: http://blogs.technet.com/b/vishalagarwal/archive/2009/08/22/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces.aspx
工作正常,但我想给它一个友好的名称,以便在我想将证书分配给动态创建的站点时更容易定位.
Works fine except I want to give it a friendly name to make locating it easier when I want to assign the certificate to a dynamically created site.
任何人都知道如何更改上述内容以设置友好名称(我已经尝试过看似明显但无济于事的方法).
Anyone know how to change the above to set the friendly name (I've tried what seemed obvious to no avail).
有没有更好的方法通过 PowerShell 创建证书而不提示用户输入信息?
Got a better way to create a cert via PowerShell that does not prompt the user for information?
跟进我正在使用的脚本 - 基于上面的 url 但变成了一个 cmdlet:
Followup on the script I am using - based on the url above but turned into a cmdlet:
function Add-SelfSignedCertificate
{
[CmdletBinding()]
param
(
[Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
[Alias('cn')]
[string]$CommonName
)
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$CommonName", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(90)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
}
推荐答案
它可能对您的特定用途没有帮助,但在 Windows 8.1 和 Server 2012 中安装了一个新的 Powershell CmdLet,它非常快速且易于使用:
It might not help for your specific use, but there is a new Powershell CmdLet installed in Windows 8.1 and Server 2012 that is pretty quick and easy to use:
New-SelfSignedCertificate [-CertStoreLocation <String> ] [-CloneCert <Certificate> ] [-DnsName <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
可在此处找到更多详细信息:https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
More details can be found here: https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
在我的使用中,证书的友好名称一直设置为 CmdLet 中指定的第一个 DnsName.
In my usage, the friendly name of the cert has always been set as the first DnsName specified in the CmdLet.
将证书放在本地计算机的个人存储中的示例:
Example that places the certificate in your Local Computer's Personal store:
New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName www.example.com
注意:Powershell 必须以管理员权限启动才能正常工作.
这篇关于使用 PowerShell 创建自签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!