9

我正在尝试创建具有特定加密参数值的自签名证书。

在运行 PowerShell 5.0 的 Win Server 2012 r2 标准上,当我尝试使用

New-SelfSignedCertificate

我收到一个错误:

New-SelfSignedCertificate:找不到与参数名称“主题”匹配的参数。

当我尝试使用该-Subject参数时,除了笔记本电脑上允许的其他参数外,该参数不会出现在智能感知中。

但是在我的笔记本电脑(Win 10 和 PowerShell 5.0)上,我可以使用这些参数,并且我使用以下代码创建了一个自签名证书

#create a Certificate
# OID for document encryption
    $Oid = New-Object System.Security.Cryptography.Oid "1.3.6.1.4.1.311.80.1"
    $oidCollection = New-Object System.Security.Cryptography.OidCollection
    $oidCollection.Add($oid) > $Null
# Create enhanced key usage extension that allows document encryption
$Ext = New-Object System.Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension $oidCollection, $true 

$myCert = New-SelfSignedCertificate -Subject 'CN=myservernameasubject' -CertStoreLocation "Cert:\LocalMachine\My" -KeySpec KeyExchange -KeyUsage KeyEncipherment, DataEncipherment -Extension $Ext
4

2 回答 2

16

使用 -DnsName 而不使用CN=.

从 PowerShell 帮助:

-DnsName <String> 当未通过 CloneCert 参数指定要复制的证书时,指定一个或多个 DNS 名称以放入证书的主题备用名称扩展中。第一个 DNS 名称也保存为主题名称和颁发者名称。

遗憾的是, Windows Server 2012 R2 和 Windows 8.1 中的New-SelfSignedCertificate不支持 -KeySpec 和其他相关选项。否则,您正在查看生成所需证书的三个选项之一;在如何使用 C# 创建自签名证书的答案中调整基于 COM 对象的代码?要在 PowerShell 中使用,请使用诸如 makecert.exe 之类的外部可执行文件,或在其他位置生成证书/密钥对,然后将其导入另一台计算机上的证书存储区。

更新:经过进一步研究,在 PowerShell 中调整基于 COM 的代码似乎是一个不错的选择。我找到了 Vishal Agarwal 的博客条目,使用 powershell 和 CertEnroll 接口生成证书(自签名),它提供了以下 PowerShell 代码:

$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=TestServer", 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(90)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
于 2016-03-10T18:35:55.093 回答
2

The following worked just fine for the self-signed option...

New-SelfSignedCertificate -DnsName "*.costoso100.com" -CertStoreLocation "cert:\LocalMachine\My"

I was able to export and setup LDAPS in about 15 minutes.

于 2017-11-22T17:12:37.423 回答