使用 makecert 进行开发 SSL [英] Using makecert for Development SSL
问题描述
这是我的情况:
我正在尝试创建一个 SSL 证书,该证书将安装在所有开发人员的机器上,以及两台内部服务器(一切都是非生产的).
I'm trying to create a SSL certificate that will be installed on all developer's machine's, along with two internal servers (everything is non-production).
我需要做什么才能创建可以安装在所有这些地方的证书?
What do I need to do to create a certificate that can be installed in all of these places?
现在我已经有了一些类似的东西,使用 Microsoft Visual Studio 8SDKv2.0Bin 中的 makecert 应用程序:
Right now I've got something along these lines, using the makecert application in Microsoft Visual Studio 8SDKv2.0Bin:
makecert -r -pe -n "CN=MySite.com Dev" -b 01/01/2000 -e 01/01/2033 -eku 1.3.6.1.5.5.7.3.1 -ss Root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 mycert.cer
但是,我不确定如何将这个 .cer 文件放在其他计算机上,当我将它安装在本地机器 IIS 上时,每次我通过 https: 访问页面时,我都会收到安全提示(即使在我安装了证书之后).以前有人这样做过吗?
However, I'm not sure as to how to place this .cer file on the other computers, and when I install it on my local machine IIS, everytime I visit a page via https:, I get the security prompt (even after I've installed the certificate). Has anyone done this before?
推荐答案
这是我执行此操作的脚本:
Here are my scripts for doing this:
创建自签名证书 (-r),使用可导出的私钥 (-pe),使用 SHA1 (-r) 进行签名(-sky 签名).私钥写入文件(-sv).
Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature). The private key is written to a file (-sv).
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
-a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
(^= 允许批处理命令行换行)
(^= allow batch command-line to wrap line)
使用可导出的私钥 (-pe) 创建服务器证书,使用 SHA1 (-a) 进行密钥交换 (-sky 交换).它可以用作 SSL 服务器证书 (-eku 1.3.6.1.5.5.7.3.1).颁发证书在文件 (-ic) 中,密钥 (-iv) 也在文件中.使用特定的加密提供程序(-sp、-sy).
Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange). It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1). The issuing certificate is in a file (-ic), as is the key (-iv). Use a particular crypto provider (-sp, -sy).
makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
-eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
-sp "Microsoft RSA SChannel Cryptographic Provider" ^
-sy 12 -sv server.pvk server.cer
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
然后,您可以在服务器应用程序中使用 .PFX 文件(或将其安装在 IIS 中).请注意,默认情况下,pvk2pfx
不对输出 PFX 文件应用密码.为此,您需要使用 -po
开关.
You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx
doesn't apply a password to the output PFX file. You need to use the -po
switch for that.
要让您的所有客户端计算机都信任它,请在其证书存储区(受信任的根授权存储区)中安装 CA.cer.如果您在域中,则可以使用 Windows 组策略在全局范围内执行此操作.如果没有,您可以使用 certmgr.msc MMC 管理单元或 certutil 命令行实用程序:
To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:
certutil -user -addstore Root CA.cer
要在 IIS 6.0 中以编程方式安装证书,请查看这篇 Microsoft KB 文章.对于 IIS 7.0,我不知道.
To programmatically install the certificate in IIS 6.0, look at this Microsoft KB article. For IIS 7.0, I don't know.
这篇关于使用 makecert 进行开发 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!