在 Windows 7 下为 Outlook 2010 创建签名证书

Question 1

我正在使用 Microsoft 工具制作证书为了这。

首先您需要创建一个 CA（证书颁发机构）密钥：

makecert -pe -n "CN=My Root CA" -ss root -a sha512 -sky signature -len 2048 -h 1 -cy authority -r my_ca.cer
# -pe: Mark private key as exportable - useful for backup.
# -n "CN=My Root CA": The name of the certificate. Please use an individual name and replace the "My" with your full name.
# -ss root: The store where makecert shall place the certificate (Root certificates store).
# -a sha512: The signature algorithm to use. Right now SHA512 is the maximum available.
# -sky signature: The key type (signature, not exchange).
# -len 2048: Key length in bits. You might consider generating a longer key.
# -h 1: Maximum height of the tree below this certificate. I don't use sub-CAs, so I hope that 1 is the correct value.
# -cy authority: Certificate type is CA, not end-entity.
# -r: Create a self signed certificate.
#  my_ca.cer: Name of the file to which the generated public key will be written.

现在您需要创建用于邮件签名的证书。对于您来说，您将仅使用一个证书开始：

makecert -pe -n "[email protected],CN=My eMail Signing" -a sha512 -sky exchange -cy end -ss my -eku 1.3.6.1.5.5.7.3.4 -in "My Root CA" -is root -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048 my_email.cer 
# -pe:Mark private key as exportable - useful for backup.
# -n "[email protected],CN=My eMail Signing": Name of the certificate. This must contain your mail address in the E entry and your name in the CN entry. You should give a useful CN, so please replace My with your full name.
# -a sha512: The signature algorithm to use. Right now SHA512 is the maximum available.
# -sky exchange: The key type (exchange, not signature).
# -cy end: Certificate type is end-entity, not CA.
# -ss my: The store where makecert shall place the certificate (My certificates store).
# -eku 1.3.6.1.5.5.7.3.4: Enhanced key usage "E-mail protection"
# -in "My Root CA": Name of the CA used to sign the generated key. Must be the same as given in "-n" in the above call to makecert.
# -is root: Store where the CA key can be found.
# -sp "Microsoft RSA SChannel Cryptographic Provider": Name of the CryptoAPI provider to use.
# -sy 12: Type of the CryptoAPI provider.
# -len 2048: Key length in bits. You might consider generating a longer key.
# my_email.cer: Name of the file to which the generated public key will be written.

私钥和公钥将被写入用户的证书存储（在注册表中）并可立即使用。公钥将被写入给定的文件中。

您可以在计算机上立即选择邮件程序中的邮件签名证书。要将您的公钥提供给其他人，您可以向他们提供一份您的公钥副本。为了获得完全信任，他们可能需要将您的 CA 密钥导入他们的证书存储区。

Answer

我正在使用 Microsoft 工具制作证书为了这。

首先您需要创建一个 CA（证书颁发机构）密钥：

makecert -pe -n "CN=My Root CA" -ss root -a sha512 -sky signature -len 2048 -h 1 -cy authority -r my_ca.cer
# -pe: Mark private key as exportable - useful for backup.
# -n "CN=My Root CA": The name of the certificate. Please use an individual name and replace the "My" with your full name.
# -ss root: The store where makecert shall place the certificate (Root certificates store).
# -a sha512: The signature algorithm to use. Right now SHA512 is the maximum available.
# -sky signature: The key type (signature, not exchange).
# -len 2048: Key length in bits. You might consider generating a longer key.
# -h 1: Maximum height of the tree below this certificate. I don't use sub-CAs, so I hope that 1 is the correct value.
# -cy authority: Certificate type is CA, not end-entity.
# -r: Create a self signed certificate.
#  my_ca.cer: Name of the file to which the generated public key will be written.

现在您需要创建用于邮件签名的证书。对于您来说，您将仅使用一个证书开始：

makecert -pe -n "[email protected],CN=My eMail Signing" -a sha512 -sky exchange -cy end -ss my -eku 1.3.6.1.5.5.7.3.4 -in "My Root CA" -is root -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048 my_email.cer 
# -pe:Mark private key as exportable - useful for backup.
# -n "[email protected],CN=My eMail Signing": Name of the certificate. This must contain your mail address in the E entry and your name in the CN entry. You should give a useful CN, so please replace My with your full name.
# -a sha512: The signature algorithm to use. Right now SHA512 is the maximum available.
# -sky exchange: The key type (exchange, not signature).
# -cy end: Certificate type is end-entity, not CA.
# -ss my: The store where makecert shall place the certificate (My certificates store).
# -eku 1.3.6.1.5.5.7.3.4: Enhanced key usage "E-mail protection"
# -in "My Root CA": Name of the CA used to sign the generated key. Must be the same as given in "-n" in the above call to makecert.
# -is root: Store where the CA key can be found.
# -sp "Microsoft RSA SChannel Cryptographic Provider": Name of the CryptoAPI provider to use.
# -sy 12: Type of the CryptoAPI provider.
# -len 2048: Key length in bits. You might consider generating a longer key.
# my_email.cer: Name of the file to which the generated public key will be written.

私钥和公钥将被写入用户的证书存储（在注册表中）并可立即使用。公钥将被写入给定的文件中。

您可以在计算机上立即选择邮件程序中的邮件签名证书。要将您的公钥提供给其他人，您可以向他们提供一份您的公钥副本。为了获得完全信任，他们可能需要将您的 CA 密钥导入他们的证书存储区。

Question 2

如果您不需要它由内部 CA 或公共 CA 签名，那么您可以运行该程序C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE，它将生成一个自签名证书。

Answer

如果您不需要它由内部 CA 或公共 CA 签名，那么您可以运行该程序C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE，它将生成一个自签名证书。

Question 3

我遇到了同样的问题，并且为我们的系统运行了 CA。适用于 Windows 2008 R2 的 MS CA。

我颁发了有效的电子邮件证书，但仍然不起作用。签名证书不会显示，但加密证书会显示。

我最终明白了，当您请求证书时，您必须选择“将密钥标记为可导出”。

一旦我这么做了，一切都自动运行了。

希望有所帮助。

Answer