将p7b转换为Azure的pfx [英] convert p7b to pfx for Azure
问题描述
我正在尝试为Azure设置端点。
我给了一个.p7b文件,但我需要一个带有Azure专用密钥的.pfx文件。
有没有办法将我的.p7b转换成.pfx?
好的,这里是一个关于整个Azure SSL证书rigmarole。我做了这个GoDaddy(和一个他们知识渊博的技术支持人员的帮助)。还要注意,我已经在Windows 8专业版;您的经验可能会略有不同,或者您的里程可能会有所不同; - )
[免责声明:我在这个问题上远非专家。 ]
付款给CA(认证机构)
$ b
创建CSR(证书签名请求)现在,您需要创建一个CSR,它是您必须提供给CA的文本,以便他们创建您的证书。 CSR包含几个信息:
- 与证书相关联的域的名称。
- 与证书关联的公钥。请注意,您向CA提供的CSR不包含关联的私钥。
您在PC上本地创建CSR IIS管理器。注意:IIS包含在Windows中,但默认情况下不安装。 [我将留下安装IIS的详细信息作为学生的练习。也许有些人会编辑这个答案并填写这些细节。]
编辑,而不是在本地机器上安装IIS, RDP到Azure中的云服务(很容易做到),并在该机器上使用IIS创建CSR并完成签名请求。如果你这样做,一定要做一个整个过程。如果生成CSR,然后等待完成请求,直到稍后,云服务可能不在同一台机器上,并且您在IIS中不会有导出选项。
要创建CSR:
- 运行IIS管理器
- 选择(双击)服务器证书
- 在窗口右侧的操作窗格中,单击创建证书请求。公共名称是与证书相关联的域名。
- IIS管理员将要求提供加密服务提供商和位长度。您必须至少选择至少2048位的长度。
- IIS管理器将创建公钥/私钥对。公共密钥包含在IIS管理器为您创建的CSR文本文件中。
要创建CSR,您还可以在个人密钥存储区请参阅 godaddy网站。非常有帮助。
现在,回到您的CA的网站,找到允许您创建您购买的证书的在线工具。它将要你做的第一件事是粘贴(或上传)CSR文本。
在IIS中安装证书文件
GoDaddy提供两个文件:p7b文件和crt文件。
crt文件包含您的公共证书。但是您不能(尚未)将其上传到您的网站托管提供商,因为它不包括相关联的私钥。网络主机需要私钥和公钥,因为它将代表您进行端到端加密。
p7b文件包含构成证书链的证书,该证书允许您的证书通过CA验证。换句话说,当有人访问您的网站并获得证明,声明您的网站由Acme.com运行时,此证书链允许该人的浏览器验证您的CA是否为您的身份证明。
请注意,GoDaddy的p7b文件可以从他们的网站免费获取。另请注意,您可能不需要此文件中包含的证书,因为您的PC可能已经将这些证书存储在其已知CA的集合中。
现在,您需要将您的公开证书与您的私钥结合,并将结果存储在受密码保护的pfk文件中。
在创建CSR的同一台机器上返回IIS管理器,导航返回服务器证书页面,然后单击完成证书请求(在屏幕右侧的操作窗格中)。
- 向导使用您从CA收到的证书文件(在我的情况下它是一个crt文件,但如果您的CA使用不同的编码方法,它可能是不同的文件类型)。
- 友好名称应该是您的域名,但您也可以添加SSL以帮助区分它(例如ContosoSSL)
- 告诉向导将密钥存储在您的个人存储
要将证书安装到IIS中,请从 godaddy网站帮助可能会有帮助。
获取pfx文件
您现在应该可以在IIS管理器的服务器证书页面上看到新的证书。选择该证书并将其导出为pfx文件(通过屏幕右侧的操作窗格)。
现在可以转到 https://manage.windowsazure.com (Windows Azure管理门户),选择您的网站或云服务,然后将pfx文件上传到Azure证书存储区。
Whew。祝你好运...
I am trying to setup endpoints for Azure.
I was given an .p7b file but I need a .pfx file with private key for Azure.
Is there a way to convert my .p7b to .pfx?
Ok, here is a rundown on the whole Azure SSL certificate rigmarole. I've done this with GoDaddy (and more than a bit of help from one of their knowledgeable tech support guys). Also note that I've done this on Windows 8 Pro; your experience might be slightly different and/or your mileage may vary ;-)
[Disclaimer: I'm far from expert in this subject. I would appreciate if someone who really knows this stuff would proofread this, edit it as necessary, and remove this comment.]
Pay your money to a CA (Certificate Authority) to buy an SSL certificate.
Create CSR (Certificate Signing Request)
Now you need to create a CSR , which is text that you must supply to the CA in order for them to create your certificate. The CSR contains a couple of pieces of information:
- The name of the domain associated with the certificate.
- A public key to associate with the certificate. Note that the CSR that you give to the CA does NOT contain the associated private key.
You create the CSR locally on your PC using IIS Manager. Note: IIS is included with Windows, but is not installed by default. [I'll leave the details of installing IIS as an exercise for the student. Maybe some kind person will edit this answer and fill in those details.]
EDIT: rather than installing IIS on your local machine, you can RDP into the cloud service in Azure (very easy to do) and use IIS on that machine to create the CSR and Complete the Signing Request. If you do this, be sure to do this entire process in one sitting. If you generate the CSR and then wait to complete the request till sometime later, the cloud service may not be on the same machine and you won't have the "Export" option in IIS.
To create a CSR:
- Run IIS Manager
- Select (double-click) Server Certificates
- In the Actions pane on the right side of the window, click on Create Certificate Request. Common Name is the domain name associated with the certificate. The rest of the fields identify your company.
- IIS Manager will ask for the Cryptographic Service Provider and Bit Length. You must select at least a bit length of at least 2048.
- IIS Manager will create a public/private key pair. The public key is included in the CSR text file that IIS Manager creates for you. The private key is stashed away somewhere on your PC (I assume in the personal key store).
To create CSR - you can also refer the detailed steps at godaddy site. quite helpful.
Now, go back to your CA's website and find the online tool that lets you create the certificate that you purchased. The first thing it will want you to do is to paste (or upload) the CSR text. After you jump through your CA's hoops, you will receive one or more certificate files back from them.
Install certificate files into IIS
GoDaddy gives you two files: a p7b file and a crt file.
The crt file contains your public certificate. But you can't (yet) upload it to your web hosting provider because it doesn't include the associated private key. The web host needs the private key as well as the public key because it will be doing end-to-end encryption on your behalf.
The p7b file contains the certificates that comprise the "certificate chain" that allows your certificate to be verified up to your CA. In other words, when someone comes to your website and gets your certificate that claims that your website is run by Acme.com, this certificate chain lets that person's browser verify that your CA vouches for your identity.
Note that GoDaddy's p7b file is freely available from their website. Also note that you probably don't need the certificates contained in this file because your PC probably already has these certificates baked into its collection of known CAs.
Now you need to combine your public certificate with your private key and store the result in a password-protected pfk file.
Get back into IIS Manager on the same machine that created the CSR, navigate back to the Server Certificates page, and click on Complete Certificate Request (in the Actions pane on the right side of the screen).
- Tell the wizard to use the certificate file that you received from your CA (in my case it was a crt file, but it might be a different file type if your CA used a different encoding method).
- Friendly Name should probably be your domain name, but you can also add "SSL" in as well to help distinguish it (e.g. ContosoSSL)
- Tell the wizard to store the key in your Personal store
To install the certificates into IIS, these detailed steps from godaddy site help may be helpful.
Get the pfx file
You should now see your new certificate listed on the Server Certificates page in IIS Manager. Select that certificate and export it as a pfx file (via the Actions pane on the right side of the screen).
Now you can go to https://manage.windowsazure.com (the Windows Azure management portal), select your website or cloud service, and upload the pfx file to the Azure certificate store.
Whew. Good luck...
这篇关于将p7b转换为Azure的pfx的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
