生成PFX证书最简单的方法（Windows）

目前要生成PFX证书，我使用openssl和：

用私钥生成CSR
连接到我的CA网站（Microsoft CA），并提交CSR（san：dns =）附加属性。
从证书颁发机构，我发出挂起的证书（Base 64）。
将我的私钥PKCS8转换为PKCS1
创build一个PEM（私钥，主机证书，中级证书和根证书）
并最终将我的PEM转换为PKCS＃12（.pfx文件）

这个过程非常漫长，我相信我浪费了很多时间。

任何人都可以让我知道什么是更快的方式来获得从内部的Microsoft CA签署的证书链（pfx）？

在这里输入图像说明

对，那么我写了它。

我仍然相信certreq和powershell有一个更简单的方法，但这里是bash脚本。 要求：Cygwin，标准的UNIX工具，剪辑，openssl

#!/bin/bash iexplore='/cygdrive/c/Program\ Files\ \(x86\)/Internet\ Explorer/iexplore.exe'; printf "\033c"; echo -e "This function automates IIS7 certificate generation for <YourCompany>"; type openssl > /dev/null 2>&1 || { echo "Cannot find OpensSSL, it is required to generate certificates. Aborting..." 1>&2; exit 1 }; openssl version; echo -e "\n"; read -p "What is the server hostname (NOT FQDN!): " Hostname; if [[ $Hostname =~ ^[A-Za-z0-9]+$ ]]; then echo -e "Server name:\t"$Hostname"\nFQDN:\t\t"$Hostname".<yourDomain>\n"; else echo ""$Hostname" doesn't look quite right... Exiting"; sleep 3; exit 1; fi; mkdir ~/Desktop/certs_temp > /dev/null 2>&1; cd ~/Desktop/certs_temp; echo " [ req ] default_md = sha512 default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req input_password = testpassword output_password = testpassword [ v3_req ] basicConstraints = CA:false keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:"$Hostname" [ req_distinguished_name ] countryName = AU stateOrProvinceName = NSW localityName = Sydney 0.organizationName = <OrgName> organizationalUnitName = <OrgUName> commonName = "$Hostname".<YourDomain>" > openssl.cfg; openssl req -out openssl.csr -new -newkey rsa:2048 -nodes -keyout pk.key -config openssl.cfg > /dev/null 2>&1; openssl rsa -in pk.key -out openssl.key > /dev/null 2>&1; rm pk.key; echo -e "Now, upload this Code Signing Request to the Internal Certificate Authority: \n\t- The CSR content has been copied into your clipboard\n\t- You do not require to set any subject alternate name\n\t- Once submitted, open "Certificate Authority" via MMC (<ServerName>), issue pending certificate and export it (Open / Details / Copy To File) Base64 to ~/Desktop/certs_temp/openssl.cer\n"; eval $iexplore https://<ServerName>/certsrv/certrqxt.asp; cat openssl.csr | clip; read -p "Press [Enter] when openssl.cer certificate has been place in ~/Desktop/certs_temp"; if [ -f 'openssl.cer' ]; then cat openssl.cer >> openssl.key; echo ' -----BEGIN CERTIFICATE----- <CompanyIntermediate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <CompanyRoot> -----END CERTIFICATE-----' >> openssl.key; mv openssl.key ""$Hostname".pem"; echo "Converting PEM Chain certificate to PKCS#12 (.pfx)"; openssl pkcs12 -export -out ""$Hostname".pfx" -in ""$Hostname".pem"; explorer . else echo "Cannot find openssl.cer in ~/Desktop/certs_temp... Exiting"; sleep 3; exit 1; fi

剧本：

根据configuration文件生成私钥和代码签名请求。
复制剪贴板中的CSR并打开IIS网页以请求证书。
提示用户发出挂起的证书并将其导出为base64
创buildPEM，然后将其导出为PKCS＃12（.pfx）

注意：您必须更改Internet Explorer for Win 32bit的path，并且必须replace<ServerName>特定标记。