目前,为了生成 PFX 证书,我使用 openssl 和:
- 使用私钥生成 CSR
- 连接到我的 CA 网站 (Microsoft CA),并提交 CSR 以及 (san:dns=) 附加属性。
- 我从证书颁发机构颁发待处理的证书(Base 64)。
- 将我的私钥 PKCS8 转换为 PKCS1
- 创建 PEM(私钥、主机证书、中间证书和根证书)
- 最后将我的 PEM 转换为 PKCS#12 (.pfx 文件)
这个过程相当漫长,我相信我浪费了很多时间。
谁能告诉我从内部 Microsoft CA 获取签名的证书链 (pfx) 的更快方法是什么?
答案1
好的,那我就编写脚本了。
我仍然相信使用 certreq 和 powershell 有更简单的方法,但这里是 bash 脚本。 要求:Cygwin、标准 UNIX 实用程序、clip、openssl
#!/bin/bash
iexplore='/cygdrive/c/Program\ Files\ \(x86\)/Internet\ Explorer/iexplore.exe';
printf "\033c";
echo -e "This function automates IIS7 certificate generation for <YourCompany>";
type openssl > /dev/null 2>&1 || {
echo "Cannot find OpensSSL, it is required to generate certificates. Aborting..." 1>&2;
exit 1
};
openssl version;
echo -e "\n";
read -p "What is the server hostname (NOT FQDN!): " Hostname;
if [[ $Hostname =~ ^[A-Za-z0-9]+$ ]]; then
echo -e "Server name:\t"$Hostname"\nFQDN:\t\t"$Hostname".<yourDomain>\n";
else
echo ""$Hostname" doesn't look quite right... Exiting";
sleep 3;
exit 1;
fi;
mkdir ~/Desktop/certs_temp > /dev/null 2>&1;
cd ~/Desktop/certs_temp;
echo "
[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = testpassword
output_password = testpassword
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:"$Hostname"
[ req_distinguished_name ]
countryName = AU
stateOrProvinceName = NSW
localityName = Sydney
0.organizationName = <OrgName>
organizationalUnitName = <OrgUName>
commonName = "$Hostname".<YourDomain>" > openssl.cfg;
openssl req -out openssl.csr -new -newkey rsa:2048 -nodes -keyout pk.key -config openssl.cfg > /dev/null 2>&1;
openssl rsa -in pk.key -out openssl.key > /dev/null 2>&1; rm pk.key;
echo -e "Now, upload this Code Signing Request to the Internal Certificate Authority: \n\t- The CSR content has been copied into your clipboard\n\t- You do not require to set any subject alternate name\n\t- Once submitted, open "Certificate Authority" via MMC (<ServerName>), issue pending certificate and export it (Open / Details / Copy To File) Base64 to ~/Desktop/certs_temp/openssl.cer\n";
eval $iexplore https://<ServerName>/certsrv/certrqxt.asp;
cat openssl.csr | clip;
read -p "Press [Enter] when openssl.cer certificate has been place in ~/Desktop/certs_temp";
if [ -f 'openssl.cer' ]; then
cat openssl.cer >> openssl.key;
echo '
-----BEGIN CERTIFICATE-----
<CompanyIntermediate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CompanyRoot>
-----END CERTIFICATE-----' >> openssl.key;
mv openssl.key ""$Hostname".pem";
echo "Converting PEM Chain certificate to PKCS#12 (.pfx)";
openssl pkcs12 -export -out ""$Hostname".pfx" -in ""$Hostname".pem";
explorer .
else
echo "Cannot find openssl.cer in ~/Desktop/certs_temp... Exiting";
sleep 3;
exit 1;
fi
剧本 :
- 根据配置文件生成私钥和代码签名请求。
- 复制剪贴板中的 CSR 并打开 IIS 网页来请求证书。
- 提示用户颁发待处理证书并将其导出为 base64
- 创建 PEM,然后将其导出为 PKCS#12 (.pfx)
注意:您必须更改 Win 32 位 Internet Explorer 的路径,并且必须替换 <ServerName> 特定标签。