powershell – 使用根CA签名者生成自签名证书

场景：我在Windows Server 2012r2上使用PowerShell生成Root证书,并希望使用它来在动态生成(和销毁)的开发/测试环境中签署新创建的中级和Web证书.脚本是远程部署的,目的是尽可能保持纯PowerShell.在Windows 10/2016中,生成根证书后相对容易：

$Cert = New-SelfSignedCertificate -Signer $Root -Subject "CN=$Subject"

我使用COM X509Enrollment.CX509CertificateRequestCertificate和Security.Cryptography.X509Certificates.X509Certificate2在我已经有一段时间的惯性PS中生成了Root证书,主要是因为我需要确保主题和用法设置非常具体.我不太确定如何使用它来签署没有上述标准的证书(我之前使用过).

在C#中有一些使用Bouncy Castle(见下文)的例子我可以绑定到PowerShell,但是我需要在动态开发/测试环境中另外部署它,我希望能够在Powershell中执行此操作(通过COM)如果需要)具有最少的依赖性.

> C# Generate Self Signed Certificates on the Fly
> How do I use Bouncy Castle in Powershell

解决方法

然后我使用StackOverflow: C# Generate Certificates on the Fly作为灵感来编写下面的powershell,我将把它添加到我的GitHub并进行评论,我会尽快修改它：

Import-Module -Name PSBouncyCastle.New

function New-SelfSignedCertificate {
  [CmdletBinding()]
  param (
    [string]$SubjectName,[string]$FriendlyName = "New Certificate",[object]$Issuer,[bool]$IsCA = $false,[int]$KeyStrength = 2048,[int]$ValidYears = 2,[hashtable]$EKU = @{}
  )

  # Needed generators
  $random = New-SecureRandom
  $certificateGenerator = New-CertificateGenerator

  if($Issuer -ne $null -and $Issuer.HasPrivateKey -eq $true)
  {
    $IssuerName = $Issuer.IssuerName.Name
    $IssuerPrivateKey = $Issuer.PrivateKey
  }
  # Create and set a random certificate serial number
  $serial = New-SerialNumber -Random $random
  $certificateGenerator.SetSerialNumber($serial)

  # The signature algorithm
  $certificateGenerator.SetSignatureAlgorithm('SHA256WithRSA')

  # Basic Constraints - certificate is allowed to be used as intermediate.
  # Powershell requires either a $null or reassignment or it will return this from the function
  $certificateGenerator = Add-BasicConstraints -isCertificateAuthority $IsCA -certificateGenerator $certificateGenerator

  # Key Usage
  if($EKU.Count -gt 0) 
  {
    $certificateGenerator = $certificateGenerator | Add-ExtendedKeyUsage @EKU
  }
  # Create and set the Issuer and Subject name
  $subjectDN = New-X509Name -Name ($SubjectName)
  if($Issuer -ne $null) {
    $IssuerDN = New-X509Name -Name ($IssuerName)
  }
  else 
  {
    $IssuerDN = New-X509Name -Name ($SubjectName)
  }  
  $certificateGenerator.SetSubjectDN($subjectDN)
  $certificateGenerator.SetIssuerDN($IssuerDN)

  # Authority Key and Subject Identifier
  if($Issuer -ne $null)
  {
    $IssuerKeyPair = ConvertTo-BouncyCastleKeyPair -PrivateKey $IssuerPrivateKey
    $IssuerSerial = [Org.BouncyCastle.Math.BigInteger]$Issuer.GetSerialNumber()
    $authorityKeyIdentifier = New-AuthorityKeyIdentifier -name $Issuer.IssuerName.Name -publicKey $IssuerKeyPair.Public -serialNumber $IssuerSerial
    $certificateGenerator = Add-AuthorityKeyIdentifier -certificateGenerator $certificateGenerator -authorityKeyIdentifier $authorityKeyIdentifier
  }

  # Validity range of the certificate
  [DateTime]$notBefore = (Get-Date).AddDays(-1)
  if($ValidYears -gt 0) {
    [DateTime]$notAfter = $notBefore.AddYears($ValidYears)
  }
  $certificateGenerator.SetNotBefore($notBefore)
  $certificateGenerator.SetNotAfter($notAfter)


  # Subject public key ~and private
  $subjectKeyPair = New-KeyPair -Strength $keyStrength -Random $random
  if($IssuerPrivateKey -ne $null)
  {
    $IssuerKeyPair = [Org.BouncyCastle.Security.DotNetUtilities]::GetKeyPair($IssuerPrivateKey)
  }
  else 
  {
    $IssuerKeyPair = $subjectKeyPair
  }
  $certificateGenerator.SetPublicKey($subjectKeyPair.Public)

  # Create the Certificate
  $IssuerKeyPair = $subjectKeyPair
  $certificate = $certificateGenerator.Generate($IssuerKeyPair.Private,$random)
  # At this point you have the certificate and need to convert it and export,I return the private key for signing the next cert
  $pfxCertificate = ConvertFrom-BouncyCastleCertificate -certificate $certificate -subjectKeyPair $subjectKeyPair -friendlyName $FriendlyName
  return $pfxCertificate
}

这个powershell的一些使用示例是：

生成根CA.

$TestRootCA = New-SelfSignedCertificate -subjectName "CN=TestRootCA" -IsCA $true
Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx

生成标准自签名

$TestSS = New-SelfSignedCertificate -subjectName "CN=TestLocal"
Export-Certificate -Certificate $TestSS -OutputFile "TestLocal.pfx" -X509ContentType Pfx

生成证书,使用根证书签名

$TestRootCA = New-SelfSignedCertificate -subjectName "CN=TestRootCA" -IsCA $true
$TestSigned = New-SelfSignedCertificate -subjectName "CN=TestSignedByRoot" -issuer $TestRootCA

Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx
Export-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx

生成具有特定用途的自签名

$TestServerCert = New-SelfSignedCertificate -subjectName "CN=TestServerCert" -EKU @{ "ServerAuthentication" = $true }

请注意,-EKU参数通过splatting接受,它执行此操作以确保有效传递添加到Add-ExtendedKeyUsage的任何内容.它接受以下证书用法：

> DigitalSignature
> NonRepudiation
> KeyEncipherment
> DataEncipherment
> KeyAgreement
> KeyCertSign
> CrlSign
> EncipherOnly
> DecipherOnly

这符合我的需要,似乎适用于我们用于动态环境的所有Windows平台.

（编辑：清远站长网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!