我正在尝试按照本文创建自定义证书来支持 Web 服务器上的 SSL。
我陷入了以下步骤:
点击个人 – 所有任务 – 高级操作 – 创建自定义请求
问题在于 Web 服务器(Windows Server 2003 R2)“所有任务”下没有“高级操作”选项。我的台式机 (Windows 7) 上有,但服务器上没有。我能找到的所有文档都表明它应该在 WS-2003-R2 上可用,但事实并非如此。
笔记:我正在进行这个手动过程,因为我需要在 CSR 中指定备用主机名,而您无法通过 IIS 6.0 控制台证书管理功能来完成此操作。
关于如何使此选项显示出来,有什么建议吗?
答案1
该菜单选项不是 Windows 2003 R2 上的功能。
您可能希望通过命令行执行此操作,它更灵活。
如何使用 Certreq.exe 实用程序创建和提交包含 SAN 的证书请求
http://support.microsoft.com/kb/931351
http://technet.microsoft.com/en-us/library/cc736326%28WS.10%29.aspx
certreq -new request.inf certnew.req
certreq -accept cert.cer
C:\UTIL>certreq -v -?
certreq.exe: 5.2.3790.1830 retail (srv03_sp1_rtm.050324-1447)
Usage:
CertReq -?
CertReq [-v] -?
CertReq [-Command] -?
CertReq [-Submit] [Options] [RequestFileIn [CertFileOut [CertChainFileOut [FullResponseFileOut]]]]
Submit a request to a Certification Authority.
-attrib AttributeString
-binary
-config ConfigString
-crl
-rpc
CertReq -Retrieve [Options] RequestId [CertFileOut [CertChainFileOut [FullResponseFileOut]]]
Retrieve a response to a previous request from a Certification Authority.
-binary
-config ConfigString
-crl
-rpc
CertReq -New [Options] [PolicyFileIn [RequestFileOut]]
Create a new request as directed by PolicyFileIn
-attrib AttributeString
-binary
-cert CertId
CertReq -Accept [CertChainFileIn | FullResponseFileIn | CertFileIn]
Accept and install a response to a previous new request.
CertReq -Policy [Options] [RequestFileIn [PolicyFileIn [RequestFileOut [PKCS10FileOut]]]]
Construct a cross certification or qualified subordination request
from an existing CA certificate or from an existing request.
-attrib AttributeString
-binary
-cert CertId
CertReq -Sign [Options] [RequestFileIn [RequestFileOut]]
Sign a cross certification or qualified subordination request.
-binary
-cert CertId
-crl
Description:
-any - Force ICertRequest::Submit to determine encoding type
-attrib AttributeString - Request attribute string
-binary - Output files in binary format instead of Base64-encoded
-cert CertId - Specify signing certificate by common name,
serial number, or by sha-1 Key or cert hash
-config ConfigString - Server\CertificationAuthority config string
or use a single minus sign (-) as config string
-crl - Include CRLs in CertChainFileOut or
RequestFileOut
-f - Force overwrite of existing files
-q - Suppress all interactive dialogs
-rpc - Use RPC instead of DCOM server connection
-v - Display Full Response Properties
-? - Display this usage message
RequestFileIn - Base64-encoded or binary input file name:
PKCS10 certificate request,
CMS certificate request,
PKCS7 certificate renewal request,
X-509 certificate to be cross-certified, or
KeyGen tag format certificate request
RequestFileOut - Base64-encoded output file name
PKCS10FileOut - Base64-encoded PKCS10 output file name
CertFileOut - Base64-encoded X-509 file name
CertChainFileOut - Base64-encoded PKCS7 file name
FullResponseFileOut - Base64-encoded Full Response file name
ConfigString - Backslash separated Server Name and Certification
Authority Name: MachineDnsName\CAName
AttributeString - Colon separated Name and Value string pairs
Each pair separated by a backslash and "n"
Example: "Name1: Value1\n Name2: Value2"
PolicyFileIn - INF file containing a textual representation
of extensions used to qualify a request
[NewRequest]
Subject = "CN=..,OU=...,DC=..."
PrivateKeyArchive = TRUE
KeySpec = 1
KeyLength = 1024
RenewalCert = CertId
SMIME = TRUE
Exportable = TRUE
UserProtected = TRUE
KeyContainer = "..."
MachineKeySet = TRUE
Silent = TRUE
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
ProviderType = 1
UseExistingKeySet = TRUE
RequesterName = DOMAIN\User
RequestType = PKCS10 | PKCS10- | PKCS7 | CMC
KeyUsage = 0x80
EncipherOnly = TRUE