creating valid test SSL certificates for IIS

2020-07-07 03:37发布

问题:

I want to test SSL connections in an development environment with IIS. For this i need to crate a self-signed root certificate that gets installed in the machine store, and also another certificate that gets signed with the root certificate to install in IIS.

Doing it with makecert is deprecated now, so I am wondering how to do it with Powershell and the New-SelfSignedCertificate command.

Bonus points if you get the key usage settings right :-)

Note: using the self-signed certificated directly in IIS does not work, since the browser and WCF considers them invalid.


for reference, here is how to do it with makecert:

# create the self signed root certificate 
makecert -n "CN=root.lan" -r -sv root.pvk root.cer

# create the certificate for IIS that gets signed with the root certificate 
makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe

# convert to other formats 
cert2spc localhost.cer localhost.spc
pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx

回答1:

The new version of New-SelfSignedCertificate, which included on Windows 10, is described here. One can use New-SelfSignedCertificate -? and get-help New-SelfSignedCertificate -examples to get some additional information.

The documentation and the examples could seems still not clear enough for creating two certificates:

  • one self-signed certificate, which will be used as CA certificate from your example
  • the second SSL certificate, which signed with the first certificate.

The implementation could be the following (I wrote below the option in multiple lines only to make the text more readable):

New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096
    -Subject "CN=My Test (PowerShell) Root Authority,O=OK soft GmbH,C=DE"
    -KeyUsage DigitalSignature,CertSign -NotAfter (get-date).AddYears(10)
    -CertStoreLocation "Cert:\CurrentUser\My" -Type Custom 

the output will look like

    Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My


Thumbprint                                Subject
----------                                -------
B7DE93CB88E99B01D166A986F7BF2D82A0E541FF  CN=My Test (PowerShell) Root Authority, O=OK soft GmbH, C=DE

The value B7DE93CB88E99B01D166A986F7BF2D82A0E541FF is important for usage the certificate for signing. If you forget the value you can find it by CN name

dir cert:\CurrentUser\My | where Subject -Like "CN=My Test (PowerShell)*"

or by usage certutil.exe -user -store My to display certificates on My store of the current user.

To create SSL certificate and to sign it with respect of previously created certificate one can do for example the following

New-SelfSignedCertificate -Type Custom -Subject "CN=ok01.no-ip.org"
    -HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048
    -KeyUsage KeyEncipherment,DigitalSignature
    -CertStoreLocation "cert:\LocalMachine\My"
    -Signer cert:\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF
    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.17={text}DNS=ok01.no-ip.org&DNS=ok01.fritz.box")

It seems to me that the final certificate will have all properties required. It's clear that the values from many from above parameters contains examples only any you have to modify there based on your requirements. I don't describe here some other common steps like importing root certificate in Trusted Root, exporting the certificates and so on. The steps are not the psrt of your main question.