如何为 Windows Azure Mobile 创建 ECC 证书？

Question 1

OpenSSL 中完全不需要。如果可以使用 Microsoft CA，请使用它来请求证书（通过证书 MMC 管理单元）。要使用外部 CA，可以使用certreq.exe工具创建证书请求。创建以下 INF 模板：

[NewRequest]
Subject="CN=<subject>"
KeyAlgorithm=ECDH_secP384r1
ProviderName="Microsoft Software Key Storage Provider"
KeyLength=384
Exportable=True
MachineKeySet=false
KeyUsage=0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

并运行命令：

certreq -new path\inffile.inf path\outrequest.req

输出请求文件可以提交给CA服务器。

或者，您可以使用新自签名证书PowerShell cmdlet 用于创建自签名证书。语法如下：

New-SelfSignedCertificate -Subject "CN=<Subject>" `
-KeyAlgorithm ECDH_secP384r1 `
-CertStoreLocation cert:\currentuser\my `
-KeyExportPolicy Exportable `
-Type SSLServerAuthentication
<...>

如果需要，提供其他参数。

Answer

OpenSSL 中完全不需要。如果可以使用 Microsoft CA，请使用它来请求证书（通过证书 MMC 管理单元）。要使用外部 CA，可以使用certreq.exe工具创建证书请求。创建以下 INF 模板：

[NewRequest]
Subject="CN=<subject>"
KeyAlgorithm=ECDH_secP384r1
ProviderName="Microsoft Software Key Storage Provider"
KeyLength=384
Exportable=True
MachineKeySet=false
KeyUsage=0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

并运行命令：

certreq -new path\inffile.inf path\outrequest.req

输出请求文件可以提交给CA服务器。

或者，您可以使用新自签名证书PowerShell cmdlet 用于创建自签名证书。语法如下：

New-SelfSignedCertificate -Subject "CN=<Subject>" `
-KeyAlgorithm ECDH_secP384r1 `
-CertStoreLocation cert:\currentuser\my `
-KeyExportPolicy Exportable `
-Type SSLServerAuthentication
<...>

如果需要，提供其他参数。

Question 2

要生成 ECC 密钥，您需要使用 OpenSSL。MSFT 目前不支持 Web Apps 中的此位长度。

创建此证书的过程如下：

validhost:~ lamont$ openssl ecparam -genkey -name secp384r1 | openssl ec -out ec384.key
read EC key
writing EC key
validhost:~ lamont$   openssl req -new -key ec384.key -out ec384.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VALID LLC
Organizational Unit Name (eg, section) []:Technology
Common Name (e.g. server FQDN or YOUR name) []:moonlight.social

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []:
validhost:~ lamont$ cat ec384.csr

获取 CSR 的输出并获取签名的证书。然后运行以下命令将文件转换为与 Azure 兼容的 PFX...：

openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey 
   your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt

Answer

要生成 ECC 密钥，您需要使用 OpenSSL。MSFT 目前不支持 Web Apps 中的此位长度。

创建此证书的过程如下：

validhost:~ lamont$ openssl ecparam -genkey -name secp384r1 | openssl ec -out ec384.key
read EC key
writing EC key
validhost:~ lamont$   openssl req -new -key ec384.key -out ec384.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:VALID LLC
Organizational Unit Name (eg, section) []:Technology
Common Name (e.g. server FQDN or YOUR name) []:moonlight.social

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 
An optional company name []:
validhost:~ lamont$ cat ec384.csr

获取 CSR 的输出并获取签名的证书。然后运行以下命令将文件转换为与 Azure 兼容的 PFX...：

openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey 
   your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt

如何为 Windows Azure Mobile 创建 ECC 证书？

答案1

答案2

相关内容