如何为 Windows Azure Mobile 创建 ECC 证书?

如何为 Windows Azure Mobile 创建 ECC 证书?

我希望我的移动客户端使用更少的 CPU 能力并使用更少的网络带宽,因此希望对 Azure 移动应用使用 ECC 证书

如何生成基于 ECC 的证书以用于 Azure Mobile?

答案1

OpenSSL 中完全不需要。如果可以使用 Microsoft CA,请使用它来请求证书(通过证书 MMC 管理单元)。要使用外部 CA,可以使用certreq.exe工具创建证书请求。创建以下 INF 模板:

[NewRequest]
Subject="CN=<subject>"
KeyAlgorithm=ECDH_secP384r1
ProviderName="Microsoft Software Key Storage Provider"
KeyLength=384
Exportable=True
MachineKeySet=false
KeyUsage=0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

并运行命令:

certreq -new path\inffile.inf path\outrequest.req

输出请求文件可以提交给CA服务器。

或者,您可以使用新自签名证书PowerShell cmdlet 用于创建自签名证书。语法如下:

New-SelfSignedCertificate -Subject "CN=<Subject>" `
-KeyAlgorithm ECDH_secP384r1 `
-CertStoreLocation cert:\currentuser\my `
-KeyExportPolicy Exportable `
-Type SSLServerAuthentication
<...>

如果需要,提供其他参数。

答案2

要生成 ECC 密钥,您需要使用 OpenSSL。MSFT 目前不支持 Web Apps 中的此位长度。

创建此证书的过程如下:

validhost:~ lamont$ openssl ecparam -genkey -name secp384r1 | openssl ec -out ec384.key
read EC key
writing EC key
validhost:~ lamont$   openssl req -new -key ec384.key -out ec384.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VALID LLC
Organizational Unit Name (eg, section) []:Technology
Common Name (e.g. server FQDN or YOUR name) []:moonlight.social

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []:
validhost:~ lamont$ cat ec384.csr 

获取 CSR 的输出并获取签名的证书。然后运行以下命令将文件转换为与 Azure 兼容的 PFX...:

openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey 
   your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt

相关内容