Using makecert for Development SSL

前端 未结 2 1370
[愿得一人]
[愿得一人] 2020-11-27 09:07

Here\'s my situation:

I\'m trying to create a SSL certificate that will be installed on all developer\'s machine\'s, along with two internal servers (everything is n

相关标签:
2条回答
  • 2020-11-27 09:53

    Here are my scripts for doing this:

    Create Certificate Authority

    Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature). The private key is written to a file (-sv).

    makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
             -a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
    

    (^= allow batch command-line to wrap line)

    Create Server Certificate

    Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange). It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1). The issuing certificate is in a file (-ic), as is the key (-iv). Use a particular crypto provider (-sp, -sy).

    makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
             -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
             -sp "Microsoft RSA SChannel Cryptographic Provider" ^
             -sy 12 -sv server.pvk server.cer
    
    pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
    

    You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.

    To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:

    certutil -user -addstore Root CA.cer
    

    To programmatically install the certificate in IIS 6.0, look at this Microsoft KB article. For IIS 7.0, I don't know.

    0 讨论(0)
  • 2020-11-27 09:56

    You should add -cy authority to the switches when creating the cert authority, otherwise some cert stores won't see it as a proper CA.

    0 讨论(0)
提交回复
热议问题