$ConfigContent = @"
; Request.inf
[Version]
Signature="`$Windows NT$"
[NewRequest]
Subject = "CN=$CN,C=ES,ST=Barcelona,L=Barcelona,O=$O"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=$CN&"
_continue_ = "DNS=testing.$CN&"
"@
$ConfigContent | Out-File -FilePath "$CN.inf" -Encoding ASCII
# Create a certificate request
if (certreq -new -f "$CN.inf" "$CN.csr") {
# Submit the request to a Certificate Authority
# Define a regular expression pattern to match the ID
$pattern = 'Id\. de solicitud: (\d+)'
$commandOutput = certreq -submit -config "localhost\COMPANY-AD01-CA" "$CN.csr" "$CN.crt"
# Use the Select-String cmdlet to find the first match in the output
$match = $commandOutput | Select-String -Pattern $pattern | Select-Object -First 1
if ($match) {
$id = $match.Matches.Groups[1].Value
# Accept the issued certificate
certutil -config "localhost\COMPANY-AD01-CA" -resubmit $id
certreq -config "localhost\COMPANY-AD01-CA" -q -f -retrieve $id "$CN.crt"
Remove-Item -Path "$CN.inf", "$CN.csr", "$CN.rsp", "$CN.csr" -Force
}
else {
Write-Host "Failed to submit the certificate request."
}
}
else {
Write-Host "Failed to create the certificate request."
}
使用这个我创建一个证书,将其发送给CA并接受它。
certreq -retrieve
只获取证书,而不是密钥,我如何获取密钥或如何在 apache 中使用该证书?
答案1
您需要使用certutil -exportPFX
或Export-PfxCertificate
导出私钥 - 两者都会为您提供 PKCS#12 格式的文件(.pfx
或.p12
),您可以按原样将其用于 Apache Tomcat(或使用“Java 密钥库”的任何程序),或将其转换为 Apache httpd(或使用“PEM”格式密钥的任何程序)的 PKCS#8 格式私钥文件。
之后,您可以从 Windows 中删除证书和密钥。
对于转换为 PKCS#8 (PEM),我不确定 Windows 是否有内置功能,但通常openssl该工具也适用于 Windows:
# 提取证书: openssl pkcs12 -in Foo.pfx -out Foo.crt -nokeys # 提取私钥(“-nodes”表示不加密): openssl pkcs12 -in Foo.pfx -out Foo.key -nocerts -nodes
然而,一旦安装了 OpenSSL 工具,它可能更容易用于openssl req
该任务,因为它直接输出 Apache 接受的 PKCS#8 私钥。