0

我在我的服务器中使用 powershell 创建了一个自签名证书。

New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"

我继续mmc

File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer

我展开个人文件夹,您会看到我的本地主机证书

我将其复制并粘贴到Trusted Root Certification Authorities - Certificates

之后,我在 IIS 上绑定我的应用程序:

捆绑

但我仍然有错误:

错误

我该如何解决我的问题?或者也许还有其他免费的解决方案。

4

2 回答 2

1

PowerShell 中的以下命令(以管理员身份运行)可以解决问题:

1.- We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256'  -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'

2.- We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256"

3.- We copy the thumbprint returned by the last command

4.- (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:3002

5.- We associate the new certificate with any ip and your port, 3002 in your case (the appid value is any valid guid):
netsh http add sslcert ipport=0.0.0.0:3002 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint

6.- Now, you must drag and drop the TestRootCA from Personal/Certificates folder to Trusted Root Certification Authorities/Certificates.

这些命令还解决了 Google Chrome 稍后返回的错误ERR_CERT_WEAK_SIGNATURE_ALGORITHM,因为证书是使用 SHA256 而不是 SHA1 创建的

于 2020-12-06T12:13:10.600 回答
0

您应该将证书复制到 Personal 和 Trusted Root Authorities。要使用 Powershell for IIS 设置自签名,以下功能应该可以帮助您。

以管理员身份运行脚本 - 如果您使用的是 Windows 10,您可能必须安装模块 WebAdministration。

#Install-Module -Name 'WebAdministration'

Import-Module -Name WebAdministration

function AddSelfSignedCertificateToSSL([String]$dnsname, [String]$siteName='Default Web Site'){
 $newCert = New-SelfSignedCertificate -DnsName $dnsname -CertStoreLocation Cert:\LocalMachine\My
 $binding = Get-WebBinding -Name $siteName -Protocol "https"
 $binding.AddSslCertificate($newCert.GetCertHashString(), "My")
 $newCertThumbprint = $newCert.Thumbprint
 $sourceCertificate = $('cert:\localmachine\my\' + $newCertThumbprint)

 $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "Root", LocalMachine
 $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
 $store.Add($newCert)
 return $newCertThumbprint
}

Write-Host Installing self-signed certificate Cert:\LocalMachine\My and Cert:\LocalMachine\Root ..

$certinstalledThumbprint = AddSelfSignedCertificateToSSL 'someacmeapp.somedomain.net'

Write-Host Added certificate $certinstalledThumbprint to Cert:\LocalMachine\My and Cert:\LocalMachine\Root and set this up as the SSL certificate on Default Web Site.

请注意,现代浏览器(例如 Chrome)会抱怨自签名算法中使用的算法较弱,并且没有第三方证书颁发机构(例如 GoDaddy 等)可以确认证书的有效性,因为它是自签名的并且算法较弱.

于 2020-06-10T17:45:40.037 回答