自簽憑證紀錄 with New-SelfSignedCertificate

自簽憑證指令(New-SelfSignedCertificate)紀錄備用。

為何要產生自簽憑證

  • 開發期間系統測試。

  • 內部應用系統,不對外公開但又需要憑證的應用系統。

注意:舊有的Makecert.exe指令已過時不再建議使用。

建議改用Power Shell的指令New-SelfSignedCertificate產生自簽憑證。

New-SelfSignedCertificate 指令簡介

先附上官方規格文件,此指令參數很多看了會頭暈。

LogoNew-SelfSignedCertificate (pki)docsmsft
New-SelfSignedCertificate 指令規格

使用此指令時記得以系統管理員身份執行。其預設參數皆為建立SSL自簽憑證給IIS網站使用,例如下面這個只有 Subject 參數的指令:

PS> New-SelfSignedCertificate -Subject MyTestSSLCert

將會產生主體(Subject)為“MyTestSSLCert” 的 SSL 自簽憑證,並儲入憑證庫本機區域中『個人』與『中繼憑證授權單位』。憑證內容明細如下:

  • 第三版(V3)憑證

  • 主體(Subject):MyTestSSLCert

  • 簽章演算法:sha256RSA,2048 bit

  • 有效期:預設一年

  • 儲入憑證庫:本機區域中個人中繼憑證授權單位

  • 增強金鑰使用方法:用戶端驗證 (1.3.6.1.5.5.7.3.2) 、伺服器驗證 (1.3.6.1.5.5.7.3.1)。

  • 金鑰使用方法:Digital Signature, Key Encipherment (a0)

New-SelfSignedCertificate 重點參數

在試用數次後,認為幾個最重要的參數:

-Type <CertificateType>

Specifies the type of certificate that this cmdlet creates. The acceptable values for this parameter are:

  • CodeSigningCert

  • Custom --- 注:需與參數 -TextExtension 搭配使用。

  • DocumentEncryptionCert

  • DocumentEncryptionCertLegacyCsp

  • SSLServerAuthentication (default)

-Subject <String>

Specifies the string that appears in the subject of the new certificate. This cmdlet prefixes CN= to any value that does not contain an equal sign. For multiple subject relative distinguished names (also known as RDNs), separate each subject relative distinguished name with a comma (,). If the value of the relative distinguished name contains commas, separate each subject relative distinguished name with a semicolon (;).

-DnsName <String[]>

PS> New-SelfSignedCertificate -DnsName "www.fabrikam.com","www.contoso.com" -CertStoreLocation "cert:\LocalMachine\My"

This example creates a self-signed SSL server certificate in the computer MY store with the subject alternative name set to www.fabrikam.com, www.contoso.com and Subject and Issuer name set to www.fabrikam.com.

-CertStoreLocation <String>

註:只能設定放在位置My,之後再用工具【管理電腦憑證】手動加入到信任區位置。

Specifies the certificate store in which to store the new certificate. If the current path is Cert:\CurrentUser or Cert:\CurrentUser\My, the default store is Cert:\CurrentUser\My. If the current path is Cert:\LocalMachine or Cert:\LocalMachine\My, the default store is Cert:\LocalMachine\My. Otherwise, you must specify Cert:\CurrentUser\My or Cert:\LocalMachine\My for this parameter. This parameter does not support other certificate stores.

-KeyExportPolicy <KeyExportPolicy[]>

Specifies the policy that governs the export of the private key that is associated with the certificate. The acceptable values for this parameter are:

  • Exportable

  • ExportableEncrypted (default)

  • NonExportable

-KeyUsage <KeyUsage[]>

Specifies the key usages set in the key usage extension of the certificate. The acceptable values for this parameter are:

  • CertSign

  • CRLSign

  • DataEncipherment

  • DecipherOnly

  • DigitalSignature

  • EncipherOnly

  • KeyAgreement

  • KeyEncipherment

  • None (default) --- 等同不限制用途。

  • NonRepudiation

-NotAfter <DateTime> 與 -NotBefore <DateTime>

指定有效期間。

PS> New-SelfSignedCertificate
 -Type Custom
 -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2","2.5.29.17={text}upn=pattifuller@contoso.com")
 -Container test*
 -Subject "CN=Patti Fuller"
 -KeyUsage DigitalSignature
 -KeyAlgorithm RSA
 -KeyLength 2048
 -NotAfter (Get-Date).AddMonths(6)

This example creates a self-signed client authentication certificate in the user MY store. The certificate uses the default provider, which is the Microsoft Software Key Storage Provider. The certificate uses an RSA asymmetric key with a key size of 2048 bits. The subject alternative name is pattifuller@contoso.com.

This command specifies a value for NotAfter. The certificate expires in six months.

-TextExtension <String[]>

需與參數 -Type Custom 搭配使用。為進階用途, 用於指定『增強金鑰使用方法』並用OID(object identifiers)下參數。

一些OID參數名稱

  • Application Policy. 1.3.6.1.4.1.311.21.10

  • Application Policy Mappings. 1.3.6.1.4.1.311.21.11

  • Basic Constraints. 2.5.29.19

  • Certificate Policies. 2.5.29.32

  • Enhanced Key Usage. 2.5.29.37 ----- 『增強金鑰使用方法』

  • Name Constraints. 2.5.29.30

  • Policy Mappings. 2.5.29.33

  • Subject Alternative Name. 2.5.29.17

一些OID參數數值

  • 用戶端驗證 (1.3.6.1.5.5.7.3.2)

  • 伺服器驗證 (1.3.6.1.5.5.7.3.1)

  • 加密檔案系統 (1.3.6.1.4.1.311.10.3.4)

  • 文件加密 (1.3.6.1.4.1.311.80.1)

指令紀錄

產生 SSL 自簽憑證

PS> New-SelfSignedCertificate -Subject MyTestSSLCert

將會產生主體(Subject)為“MyTestSSLCert” 的 SSL 自簽憑證,並儲入憑證庫本機區域中『個人』與『中繼憑證授權單位』。

PS> New-SelfSignedCertificate -Subject MyTestSSLCert | Format-List -Property *

同上指令,再串入指令Format-List -Property *將會顯示結果明細。

PS> New-SelfSignedCertificate -DnsName "mytest.local" -CertStoreLocation "cert:\LocalMachine\My"

將會產生 SSL 自簽憑證。這裡由於沒有特別指定 commonName (CN) 名稱,預設會直接用 -DnsName 參數的第一個項目當成憑證的主體名稱 ( a.k.a. commonName )。這裡的 -CertStoreLocation 參數是指憑證儲存區的路徑。

產生資料保護(Data Protection)的自簽憑證

PS> New-SelfSignedCertificate
 -Subject aaTestCert19                   --- 主體名稱
 -Type DocumentEncryptionCert            --- 指定憑證用於:文件加密
 -CertStoreLocation "Cert:\CurrentUser"  --- 存入憑證庫 CurrentUser\My
 -KeyExportPolicy NonExportable          --- 金鑰不可匯出
 -NotAfter (Get-Date).AddMonths(120)     --- 期限十年

經無數次測試確認:憑證庫只有Cert:CurrentUser\My位置的憑證的私密金鑰可以被有效引用出來簽章(加解密)。

補充:憑證管理工具

Windows 10 作業系統內附二個憑證管理工具,他們外觀幾乎一樣:

  • 【管理電腦憑證,certlm】

    管理放在本機電腦(LocalMachine)裡的憑證。

  • 【管理使用者憑證,certmgr】

    管理放在目前的使用者(CurrentUser)裡的憑證。

參考資料

LogoNew-SelfSignedCertificate (pki)docsmsft
New-SelfSignedCertificate 指令規格
LogoNew-SelfSignedCertificate: Creating Certificates with PowerShellATA Learning
Creating Certificates with PowerShell
Logo如何在windows 中產生自簽網址憑證,然後可以在IIS中使用
產生用於IIS的SSL自簽憑證
Previous.NET5 Data Protection 研究NextUser Secrets v.s. Data Protection @NET5

Last updated