发表新帖
发表新帖

Setting Key Usage attributes with Makecert

前端 未结
关注
4 1211
故里飘歌
故里飘歌 2021-02-18 21:43

Is it possible to set Key Usage attributes using makecert, or any other tool I can use to generate my own test certificates?

The reason I\'m interested is that certifica

相关标签:
4条回答
  • 时光说笑
    2021-02-18 22:21

    While you cannot make a self-signed cert and set the Enhanced Key Usage parameters using makecert I thought I'd save everyone the trouble of trying to use go down the path of using OpenSSL to generate a cert on Windows. Instead, you can use certreq (which is available if you already have makecert) and fashion your own request to set the required parameters.

    For example, this sets up a cert with an EKU of Document Encryption (1.3.6.1.4.1.311.80.1) and key usages of Key Encipherment and Data Encipherment.

    Create a new file, MyCert.inf:

    [Version]
Signature = "$Windows NT$"

[Strings]
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1"

[NewRequest]
Subject = "cn=me@example.com"
MachineKeySet = false
KeyLength = 2048
KeySpec = AT_KEYEXCHANGE
HashAlgorithm = Sha1
Exportable = true
RequestType = Cert

KeyUsage = "CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_DATA_ENCIPHERMENT_KEY_USAGE"
ValidityPeriod = "Years"
ValidityPeriodUnits = "1000"

[Extensions]
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_DOCUMENT_ENCRYPTION%"

    Just set the Subject to whatever you need.

    Then run:

    certreq -new MyCert.inf MyCert.cer

    This will generate the public key (X509 cert) and install it to your Current User personal store on the machine. You can export it from there if you want.

    I used this to generate a certificate for encrypting PowerShell DSC, for testing.

    For more details: https://technet.microsoft.com/en-us/library/dn296456.aspx#BKMK_New

    0 讨论(0)
  • 小鲜肉
    2021-02-18 22:22

    MakeCert doesn't let you specify key usage, only extended key usage. I think you need a CA to create a broader certificate.

    You can setup your own CA with ubuntu server. https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

    0 讨论(0)
  • 野趣味
    2021-02-18 22:27

    You can use the -eku option to specify the key usage to your certificate.

    See details here: http://msdn.microsoft.com/en-us/library/aa386968(VS.85).aspx

    0 讨论(0)
  • 感动是毒
    2021-02-18 22:37

    Digital Signature,Data Encipherment and Key Encipherment can be add by using the PowerShell Cmdlet New-SelfSignedCertificate. One of the New-SelfSignedCertificate Parameters is KeyUsagewhere you can add DigitalSignature, DataEncipherment and KeyEncipherment.

    New-SelfSignedCertificate is described on technet (https://technet.microsoft.com/library/hh848633)

    Sample:

    New-SelfSignedCertificate -Type Custom -Subject "CN=sample.com" -KeyUsage DataEncipherment, KeyEncipherment, DigitalSignature -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1") -CertStoreLocation "Cert:\CurrentUser\My"

    The sample covers client authentication and server authentication and creates the certificate at the current user store under my.

    0 讨论(0)
 看不清?
提交回复
热议问题