为IIS创建有效的测试SSL证书 [英] creating valid test SSL certificates for IIS

问题描述

我想在使用IIS的开发环境中测试SSL连接。为此，我需要创建一个自签名根证书安装在机器商店，以及另一个证书，用根证书签名安装在IIS中。

现在不推荐使用 makecert ，所以我想知道如何使用Powershell和 New-SelfSignedCertificate 命令。

如果您获得正确的密钥使用设置，则会产生积分:-)

注意：使用自签名直接在IIS中认证不起作用，因为浏览器和WCF认为它们无效。

---

以供参考，以下说明如何使用makecert：

 ＃创建自签名根证书
 makecert -nCN = root.lan-r -sv root.pvk root.cer 
 
＃创建使用根证书签名的IIS的证书
 makecert -sk本地证书-iv root.pvk -nCN = localhost-ic root.cer -sr localmachine -ss my -sky exchange -pe 
 
＃转换为其他格式
 cert2spc localhost.cer localhost.spc 
 pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx 
   
 
解决方案
新版本 New-SelfSignedCertificate （包括在Windows 10上）此处。可以使用 New-SelfSignedCertificate  - ？和 get-help New-SelfSignedCertificate -examples 获取一些其他信息。 
 
 
 
文档和示例似乎仍然不够清楚，无法创建两个证书：
 
 
 
 
 
一个自签名证书，将用作您示例中的CA证书
 
 
第一个SSL证书。
 
 
 
 
 
实现可能如下（我在下面写了多行中的选项，以使文本更易读）：
  New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096 
 -SubjectCN = My Test（PowerShell）Root Authority，O = OK soft GmbH，C = DE
 -KeyUsage DigitalSignature -NotAfter（get-date）.AddYears（10）
 -CertStoreLocationCert：\CurrentUser\My-Type自定义
  
 目录：
 Microsoft.PowerShell.Security \Certificate :: CurrentUser \My 
 
 
指纹主题
 ---------- ------- 
 B7DE93CB88E99B01D166A986F7BF2D82A0E541FF CN =我的测试（PowerShell）根权限，O = OK soft GmbH，C = DE 
  
值 B7DE93CB88E99B01D166A986F7BF2D82A0E541FF 对于使用签名证书很重要。如果您忘记了值，您可以通过CN名称找到它
  dir cert：\CurrentUser\My |其中Subject-喜欢CN =我的测试（PowerShell）*
  
或通过使用 certutil.exe -user -store My 在当前用户的我的商店上显示证书。
 
 
 
创建SSL证书并签名
  New-SelfSignedCertificate -Type Custom -SubjectCN = ok01 .no-ip.org
 -HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048 
 -KeyUsage KeyEncipherment，DigitalSignature 
 -CertStoreLocationcert：\LocalMachine\My
  - 签名证书：\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF 
 -TextExtension @（2.5.29.37 = {text} 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2， 2.5.29.17 = {text} DNS = ok01.no-ip.org& DNS = ok01.fritz.box）
  
在我看来，最终证书将具有所有必需的属性。很明显，来自上面的许多参数的值包含示例，只有您根据您的需求修改。我不在这里描述一些其他常见的步骤，如在受信任的根导入根证书，导出证书等。这些步骤不是您主要问题的psrt。
 
I want to test SSL connections in an development environment with IIS. For this i need to crate a self-signed root certificate that gets installed in the machine store, and also another certificate that gets signed with the root certificate to install in IIS. 

Doing it with makecert is deprecated now, so I am wondering how to do it with Powershell and the New-SelfSignedCertificate command. 

Bonus points if you get the key usage settings right :-)  

Note: using the self-signed certificated directly in IIS does not work, since the browser and WCF considers them invalid. 



for reference, here is how to do it with makecert: 
# create the self signed root certificate 
makecert -n "CN=root.lan" -r -sv root.pvk root.cer

# create the certificate for IIS that gets signed with the root certificate 
makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe

# convert to other formats 
cert2spc localhost.cer localhost.spc
pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx

解决方案
The new version of New-SelfSignedCertificate, which included on Windows 10, is described here. One can use New-SelfSignedCertificate -? and get-help New-SelfSignedCertificate -examples to get some additional information. 

The documentation and the examples could seems still not clear enough for creating two certificates:


one self-signed certificate, which will be used as CA certificate from your example
the second SSL certificate, which signed with the first certificate.


The implementation could be the following (I wrote below the option in multiple lines only to make the text more readable):
New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096
    -Subject "CN=My Test (PowerShell) Root Authority,O=OK soft GmbH,C=DE"
    -KeyUsage DigitalSignature -NotAfter (get-date).AddYears(10)
    -CertStoreLocation "Cert:\CurrentUser\My" -Type Custom 
the output will look like
    Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My


Thumbprint                                Subject
----------                                -------
B7DE93CB88E99B01D166A986F7BF2D82A0E541FF  CN=My Test (PowerShell) Root Authority, O=OK soft GmbH, C=DE
The value B7DE93CB88E99B01D166A986F7BF2D82A0E541FF is important for usage the certificate for signing. If you forget the value you can find it by CN name
dir cert:\CurrentUser\My | where Subject -Like "CN=My Test (PowerShell)*"
or by usage certutil.exe -user -store My to display certificates on My store of the current user.

To create SSL certificate and to sign it with respect of previously created certificate one can do for example the following
New-SelfSignedCertificate -Type Custom -Subject "CN=ok01.no-ip.org"
    -HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048
    -KeyUsage KeyEncipherment,DigitalSignature
    -CertStoreLocation "cert:\LocalMachine\My"
    -Signer cert:\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.17={text}DNS=ok01.no-ip.org&DNS=ok01.fritz.box")
It seems to me that the final certificate will have all properties required. It's clear that the values from many from above parameters contains examples only any you have to modify there based on your requirements. I don't describe here some other common steps like importing root certificate in Trusted Root, exporting the certificates and so on. The steps are not the psrt of your main question.

                        
这篇关于为IIS创建有效的测试SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！