- 我一直在尝试创建一个rootCA和中间CA,它在Windows 10上使用powershell对证书进行签名
- 当我尝试检查QA1KeyCARoot.key时,我遇到了一个无法加载私钥的错误
问题:
-
这是使用powershell从pfx文件提取密钥的正确方法吗?pfx应该包含rootCA 的证书和私钥
$CertRootCAFilePFX=导出PfCertificate-证书证书:\LocalMachine\My$RootCAthumbprint-文件路径C:\Users\KeyCARoot.pfx-密码$CertRootCAPassword
-
如何从命令中获取pem中的链?
感谢
根证书$RootCA = New-SelfSignedCertificate -Subject 'CN=KeyCARootCN,O=Test Organisation, OU=Test RootCA,C=AU' -KeyLength 2048 -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(40) -KeyUsageProperty All -TextExtension @(“2.5.29.19 ={critical} {text}ca=1&pathlength=5”) -CertStoreLocation Cert:LocalMachineMy
$RootCA
$RootCAthumbprint = $RootCA.Thumbprint
$CertRootCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertRootCAFilePFX = Export-PfxCertificate -Cert cert:LocalMachineMy$RootCAthumbprint -FilePath C:UsersKeyCARoot.pfx -Password $CertRootCAPassword
$CertRootCAFileCER = Export-Certificate -Cert $RootCA -FilePath C:UsersKeyCARoot.cer
$CertRootCAFileCER
$CertRootCAPath = 'C:UsersKeyCARoot.cer'
Import-Certificate -FilePath C:UsersKeyCARoot.cer -CertStoreLocation Cert:LocalMachineRoot
$InterCA = New-SelfSignedCertificate -Subject 'CN=KeyInterCARootCN,O=Test Organisation, OU=Test InterCA,C=AU' -Signer $RootCA -KeyLength 2048 -HashAlgorithm 'SHA256' -KeyExportPolicy Exportable -KeyUsage KeyEncipherment,DataEncipherment,CertSign,DigitalSignature,CRLSign -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(35) -KeyUsageProperty Sign -TextExtension @(“2.5.29.19 = {critical} {text}ca=1&pathlength=0”) -CertStoreLocation Cert:LocalMachineMy
$InterCAthumbprint = $InterCA.Thumbprint
$CertInterCAPassword = ConvertTo-SecureString -String “Test123” -Force –AsPlainText
$CertInterCAFilePFX = Export-PfxCertificate -Cert cert:LocalMachineMy$InterCAthumbprint -FilePath C:UsersKeyInterCARoot.pfx -Password $CertInterCAPassword
$CertInterCAFileCER = Export-Certificate -Cert $InterCA -FilePath C:UsersKeyInterCARoot.cer
$CertInterCAFileCER
Import-Certificate -FilePath C:UsersKeyInterCARoot.cer -CertStoreLocation Cert:LocalMachineCA
然后
openssl pkcs12 -in KeyCARoot.pfx -nocerts -nodes -passin pass:Test123 | sed -ne "/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p" > KeyCARoot.key
openssl pkcs12 -in KeyInterCARoot.pfx -nocerts -nodes -passin pass:Test123 | sed -ne "/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p" > KeyInterCARoot.key
openssl x509 -inform der -in KeyCARoot.cer -out KeyCARoot.pem
openssl x509 -inform der -in KeyInterCARoot.cer -out KeyInterCARoot.pem
运行以下内容:
openssl rsa -modulus -noout -in KeyCARoot.key
openssl : unable to load Private Key
At line:1 char:1
openssl rsa -modulus -noout -in KeyCARoot.key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (unable to load Private Key:String) [], RemoteException
FullyQualifiedErrorId : NativeCommandError
8924:error:0909006C:PEM routines:get_name:no start line:cryptopempem_lib.c:745:Expecting: ANY PRIVATE KEY
我已删除.key文件中的Bag属性行李属性
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: te-3737d2a6-b5dc-4d63-b680-68a42d8080a0
Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN PRIVATE KEY-----
....
...
-----BEGIN PRIVATE KEY-----
使用我之前在这里找到的答案来创建您的根证书和中间CA证书,导出PKCS#12(.pfx(文件,就像您上面所做的那样:
$RootCAthumbprint = $RootCA.Thumbprint
$CertRootCAPassword = ConvertTo-SecureString -String 'Test123' -Force -AsPlainText
$CertRootCAFilePFX = Export-PfxCertificate -Cert "Cert:LocalMachineMy$RootCAthumbprint" -FilePath .KeyCARoot.pfx -Password $CertRootCAPassword
$CertRootCAFileCER = Export-Certificate -Cert $RootCA -FilePath .KeyCARoot.cer
$CertRootCAFileCER
$CertRootCAPath = '.KeyCARoot.cer'
Import-Certificate -FilePath .KeyCARoot.cer -CertStoreLocation Cert:LocalMachineRoot
然后使用OpenSSL提取未加密的RSA私钥,如下所示:
& "C:Program FilesOpenSSL1.1.1hbinopenssl.exe" pkcs12 -nocerts -nodes -in .KeyCARoot.pfx -out .KeyCARoot.key -passin pass:Test123
一旦提取出未加密的RSA私钥,就可以调用OpenSSL RSA来获得模数:
& "C:Program FilesOpenSSL1.1.1hbinopenssl.exe" rsa -modulus -noout -in .KeyCARoot.key
没有错误,并包含包属性!