使用PowerShell调查证书提供程序时,我注意到所有路径都似乎相似,但与certmgr中的文件夹结构不完全相同。很明显:
话虽如此,我仍然可以使用PowerShell来完成这个任务:
Certs:\LocalMachine ~= Certificates (Local Computer)
Certs:\CurrentUser ~= Certificates - Current User
我还猜测:
Root ~= Trusted Root Certification Authority
My ~= Personal
WebHosting ~= WebHosting
...
但是我一直无法找到任何官方参考资料(甚至是合理的解释),来给我带来我所期望的温馨感觉...
我的目的是在本地测试一个https WCF服务(服务器和客户端都需要测试)。我可以使用New-SelfSignedCertificate轻松生成服务器所需的自签名证书。然而,如果我尝试将我的客户端(也是.NET)指向该服务,则由于服务提供了一个不受信任的证书,连接失败。
我发现了一些过时的参考资料(比如this one),这些资料展示了如何使用makecert(现已被弃用)和certmgr来生成一个证书颁发机构,然后使用它来签署我的https服务证书,并将证书颁发机构证书安装到信任的根证书颁发机构容器中,以使所有东西都能正常工作。虽然这种方法可能有效,但肯定不够开发/自动化友好。话虽如此,我仍然可以使用PowerShell来完成这个任务:
$my_cert_store_location = "Cert:\LocalMachine\My"
$root_cert_store_location = "Cert:\LocalMachine\Root"
$root_friendly_name = "Test Root Authority"
$root_cert_subject = "CN=$($root_friendly_name)"
# The ip and port you want to reserve for your app
$ipport = "127.0.0.11:8734"
# Your app guid (found in ApplicationInfo.cs)
$appid = "{f77c65bd-d592-4a7b-ae32-cab24130fdf6}"
# Your dns name
$dns_name = "my-machine-local"
$rebuild_root_cert = $false
$root_cert = Get-ChildItem $my_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($root_cert_subject)}
if ($root_cert -and $rebuild_root_cert)
{
Get-ChildItem $root_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($root_cert_subject)} |
Remove-Item
Remove-Item $root_cert
$root_cert = $false
}
if (-not $root_cert)
{
$root_cert = New-SelfSignedCertificate `
-Type Custom `
-FriendlyName $root_friendly_name `
-HashAlgorithm sha384 `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-Subject $root_cert_subject `
-KeyUsage DigitalSignature, CertSign `
-NotAfter (Get-Date).AddYears(20) `
-CertStoreLocation $my_cert_store_location
Write-Output "Created root cert: $($root_cert.Thumbprint)"
$exported_cert = New-TemporaryFile
Export-Certificate -Cert $root_cert -FilePath $exported_cert.FullName
$imported_root_cert = Import-Certificate -FilePath $exported_cert.FullName `
-CertStoreLocation $root_cert_store_location
Write-Output "Imported root cert to: $($root_cert_store_location)\$($imported_root_cert.Thumbprint)"
}
Write-Output "Root cert is: $($root_cert.Thumbprint)"
$test_signed_cert_subject = "CN=$($dns_name)"
$test_signed_cert = Get-ChildItem $my_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($test_signed_cert_subject)}
if (-not $test_signed_cert)
{
$test_signed_cert = New-SelfSignedCertificate `
-Type Custom `
-Subject $test_signed_cert_subject `
-FriendlyName $dns_name `
-Signer $root_cert `
-CertStoreLocation $my_cert_store_location
Write-Output "Created signed cert: $($test_signed_cert.Thumbprint)"
}
Write-Output "Signed cert is: $($test_signed_cert.Thumbprint)"
if ($test_signed_cert)
{
netsh http delete sslcert `
ipport="$($ipport)"
netsh http add sslcert `
ipport="$($ipport)" `
appid="$($appid)" `
certstorename="My" `
certhash="$($test_signed_cert.Thumbprint)"
Write-Output "Assigned signed cert to: $($ipport)"
}
但问题仍然存在... 有关证书提供者路径如何映射到certmgr文件夹的任何信息吗?