将 p7b 转换为 Azure 的 pfx [英] convert p7b to pfx for Azure
问题描述
我正在尝试为 Azure 设置端点.
I am trying to setup endpoints for Azure.
我得到了一个 .p7b 文件,但我需要一个带有 Azure 私钥的 .pfx 文件.
I was given an .p7b file but I need a .pfx file with private key for Azure.
有没有办法将我的 .p7b 转换为 .pfx?
Is there a way to convert my .p7b to .pfx?
推荐答案
好的,这里是整个 Azure SSL 证书复杂性的概要.我已经用 GoDaddy 完成了这个(而且不仅仅是一个他们的一位知识渊博的技术支持人员提供了一点帮助).另请注意,我在 Windows 8 Pro 上完成了此操作;您的体验可能会略有不同和/或您的里程可能会有所不同;-)
Ok, here is a rundown on the whole Azure SSL certificate rigmarole. I've done this with GoDaddy (and more than a bit of help from one of their knowledgeable tech support guys). Also note that I've done this on Windows 8 Pro; your experience might be slightly different and/or your mileage may vary ;-)
向 CA(证书颁发机构)付款以购买 SSL 证书.
Pay your money to a CA (Certificate Authority) to buy an SSL certificate.
创建 CSR(证书签名请求)
现在您需要创建一个 CSR ,这是您必须向 CA 提供的文本,以便他们创建您的证书.CSR 包含几条信息:
Now you need to create a CSR , which is text that you must supply to the CA in order for them to create your certificate. The CSR contains a couple of pieces of information:
- 与证书关联的域的名称.
- 与证书关联的公钥.请注意,您提供给 CA 的 CSR 不包含关联的私钥.
您可以使用 IIS 管理器在 PC 上本地创建 CSR.注意:IIS 包含在 Windows 中,但默认情况下不安装.[我将把安装 IIS 的细节留给学生练习.也许某个好心人会编辑此答案并填写这些详细信息.]
You create the CSR locally on your PC using IIS Manager. Note: IIS is included with Windows, but is not installed by default. [I'll leave the details of installing IIS as an exercise for the student. Maybe some kind person will edit this answer and fill in those details.]
您可以将 RDP 导入 Azure 中的云服务(非常容易)并在该计算机上使用 IIS 创建 CSR 并完成签名,而不是在本地计算机上安装 IIS要求.如果您这样做,请务必一次完成整个过程.如果您生成 CSR,然后等待稍后完成请求,则云服务可能不在同一台计算机上,并且您在 IIS 中将没有导出"选项.
rather than installing IIS on your local machine, you can RDP into the cloud service in Azure (very easy to do) and use IIS on that machine to create the CSR and Complete the Signing Request. If you do this, be sure to do this entire process in one sitting. If you generate the CSR and then wait to complete the request till sometime later, the cloud service may not be on the same machine and you won't have the "Export" option in IIS.
创建 CSR:
- 运行 IIS 管理器
- 选择(双击)服务器证书
- 在窗口右侧的操作"窗格中,单击创建证书请求".Common Name 是与证书关联的域名.其余字段用于标识您的公司.
- IIS 管理器将询问加密服务提供程序和位长度.您必须选择至少 2048 的位长度.
- IIS 管理器将创建一个公钥/私钥对.公钥包含在 IIS 管理器为您创建的 CSR 文本文件中.私钥隐藏在您 PC 上的某个地方(我假设在个人密钥存储中).
要创建 CSR - 您还可以参考 godaddy 网站.很有帮助.
To create CSR - you can also refer the detailed steps at godaddy site. quite helpful.
现在,返回您的 CA 网站并找到可让您创建所购买证书的在线工具.它希望您做的第一件事是粘贴(或上传)CSR 文本.在您跳过 CA 的圈套后,您将收到他们返回的一个或多个证书文件.
Now, go back to your CA's website and find the online tool that lets you create the certificate that you purchased. The first thing it will want you to do is to paste (or upload) the CSR text. After you jump through your CA's hoops, you will receive one or more certificate files back from them.
将证书文件安装到 IIS 中
GoDaddy 为您提供两个文件:一个 p7b 文件和一个 crt 文件.
GoDaddy gives you two files: a p7b file and a crt file.
crt 文件包含您的公共证书.但是您不能(还)将其上传到您的网络托管服务提供商,因为它不包含相关的私钥.网络主机需要私钥和公钥,因为它将代表您进行端到端加密.
The crt file contains your public certificate. But you can't (yet) upload it to your web hosting provider because it doesn't include the associated private key. The web host needs the private key as well as the public key because it will be doing end-to-end encryption on your behalf.
p7b 文件 包含构成证书链"的证书,允许您的证书被验证到您的 CA.换句话说,当有人访问您的网站并获得声称您的网站由 Acme.com 运行的证书时,此证书链可让该人的浏览器验证您的 CA 为您的身份提供担保.我们稍后会回到这个文件......
The p7b file contains the certificates that comprise the "certificate chain" that allows your certificate to be verified up to your CA. In other words, when someone comes to your website and gets your certificate that claims that your website is run by Acme.com, this certificate chain lets that person's browser verify that your CA vouches for your identity. We'll get back to this file later...
现在您需要将您的公共证书与您的私钥结合起来,并将结果存储在受密码保护的 pfk 文件中.
Now you need to combine your public certificate with your private key and store the result in a password-protected pfk file.
回到创建 CSR 的同一台计算机上的 IIS 管理器,导航回服务器证书"页面,然后单击完成证书请求"(在屏幕右侧的操作"窗格中).
Get back into IIS Manager on the same machine that created the CSR, navigate back to the Server Certificates page, and click on Complete Certificate Request (in the Actions pane on the right side of the screen).
- 告诉向导使用您从 CA 收到的证书文件(在我的情况下,它是一个 crt 文件,但如果您的 CA 使用不同的编码方法,它可能是不同的文件类型).
- Friendly Name 应该是您的域名,但您也可以在其中添加SSL"以帮助区分它(例如 ContosoSSL)
- 告诉向导将密钥存储在您的个人存储中
要将证书安装到 IIS,这些详细步骤来自 godaddy 网站帮助 可能会有帮助.
To install the certificates into IIS, these detailed steps from godaddy site help may be helpful.
获取 pfx 文件
您现在应该会在 IIS 管理器的服务器证书"页面上看到您的新证书.选择该证书并将其导出为 pfx 文件(通过屏幕右侧的操作"窗格).
You should now see your new certificate listed on the Server Certificates page in IIS Manager. Select that certificate and export it as a pfx file (via the Actions pane on the right side of the screen).
现在您可以访问 https://manage.windowsazure.com(Windows Azure 管理门户),选择您的网站或云服务,然后将 pfx 文件上传到 Azure 证书存储.
Now you can go to https://manage.windowsazure.com (the Windows Azure management portal), select your website or cloud service, and upload the pfx file to the Azure certificate store.
哇.祝你好运...
编辑
上述说明仅涉及在您的 Azure Web 角色中安装 SSL 证书,但不是中间证书(即证书链").这适用于大多数客户端(浏览器),因为大多数浏览器都内置了主要 CA 的中间证书.换句话说,浏览器知道如何从您的 SSL 证书到颁发它的 CA.但是有些客户要求网站本身不仅要发布 SSL 证书,还要发布所有的中间证书.
The above instructions only deal with installing the SSL certificate in your Azure web role, but not the intermediate certificates (i.e. the "certificate chain"). This works for most clients (browsers) because most browsers have the intermediate certificates for major CAs baked into them. In other words, the browsers know how to get from your SSL certificate up to the CA that issued it. But some clients require that the website itself publish not only the SSL certificate but also all of the intermediate certificates.
有关如何执行此操作的详细信息,请参阅this SO answer.
See this SO answer for details on how to do this.
这篇关于将 p7b 转换为 Azure 的 pfx的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
