如何创建自签名证书?

时间:2019-06-25 11:05:39

标签: powershell ssl iis self-signed-certificate

我在服务器中使用powershell创建了一个自签名证书。

New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"

我继续 mmc 

File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer

我展开“个人”文件夹,您会看到我的本地主机证书

我将其复制并粘贴到Trusted Root Certification Authorities - Certificates

之后,我将应用程序绑定到IIS上:

binding

但是我仍然有错误:

error

如何解决我的问题?或者,也许还有其他免费的解决方案。

2 个答案:

答案 0 :(得分:0)

您应该将证书复制到个人和受信任的根颁发机构。要使用Powershell为IIS设置自签名,以下功能应该可以为您提供帮助。

以管理员身份运行脚本-如果您使用的是Windows 10,则必须安装模块WebAdministration。

#Install-Module -Name 'WebAdministration'

Import-Module -Name WebAdministration

function AddSelfSignedCertificateToSSL([String]$dnsname, [String]$siteName='Default Web Site'){
 $newCert = New-SelfSignedCertificate -DnsName $dnsname -CertStoreLocation Cert:\LocalMachine\My
 $binding = Get-WebBinding -Name $siteName -Protocol "https"
 $binding.AddSslCertificate($newCert.GetCertHashString(), "My")
 $newCertThumbprint = $newCert.Thumbprint
 $sourceCertificate = $('cert:\localmachine\my\' + $newCertThumbprint)

 $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "Root", LocalMachine
 $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
 $store.Add($newCert)
 return $newCertThumbprint
}

Write-Host Installing self-signed certificate Cert:\LocalMachine\My and Cert:\LocalMachine\Root ..

$certinstalledThumbprint = AddSelfSignedCertificateToSSL 'someacmeapp.somedomain.net'

Write-Host Added certificate $certinstalledThumbprint to Cert:\LocalMachine\My and Cert:\LocalMachine\Root and set this up as the SSL certificate on Default Web Site.

请注意,诸如Chrome之类的现代浏览器会抱怨自签名算法中使用的算法较弱,并且事实是,没有第三方证书颁发机构(例如GoDaddy等)可以确认有效性证书,因为它是自签名的并且具有弱算法。

答案 1 :(得分:0)

PowerShell中的以下命令(以管理员身份运行)可以解决问题:

1.- We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256'  -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'

2.- We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256"

3.- We copy the thumbprint returned by the last command

4.- (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:3002

5.- We associate the new certificate with any ip and your port, 3002 in your case (the appid value is any valid guid):
netsh http add sslcert ipport=0.0.0.0:3002 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint

6.- Now, you must drag and drop the TestRootCA from Personal/Certificates folder to Trusted Root Certification Authorities/Certificates.

这些命令还解决了Google Chrome稍后返回的错误 ERR_CERT_WEAK_SIGNATURE_ALGORITHM ,因为证书是使用SHA256而不是SHA1创建的。

相关问题
最新问题