Powershell 如何创建自签名证书？

我在服务器中使用powershell创建自签名证书

New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"

我选择mmc：

我展开个人文件夹，您会看到我的本地主机证书

我将其复制并粘贴到受信任的根证书颁发机构-证书中

之后，我将应用程序绑定到IIS上：

但我仍然有一个错误：

---

我如何解决我的问题？或者可能还有其他免费解决方案。

您应该将证书复制到个人和受信任的根权限。要使用Powershell为IIS设置自签名，下面的函数应该可以帮助您

以管理员身份运行脚本-如果您使用的是Windows 10，则必须安装模块WebAdministration

#Install-Module -Name 'WebAdministration'

Import-Module -Name WebAdministration

function AddSelfSignedCertificateToSSL([String]$dnsname, [String]$siteName='Default Web Site'){
 $newCert = New-SelfSignedCertificate -DnsName $dnsname -CertStoreLocation Cert:\LocalMachine\My
 $binding = Get-WebBinding -Name $siteName -Protocol "https"
 $binding.AddSslCertificate($newCert.GetCertHashString(), "My")
 $newCertThumbprint = $newCert.Thumbprint
 $sourceCertificate = $('cert:\localmachine\my\' + $newCertThumbprint)

 $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "Root", LocalMachine
 $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
 $store.Add($newCert)
 return $newCertThumbprint
}

Write-Host Installing self-signed certificate Cert:\LocalMachine\My and Cert:\LocalMachine\Root ..

$certinstalledThumbprint = AddSelfSignedCertificateToSSL 'someacmeapp.somedomain.net'

Write-Host Added certificate $certinstalledThumbprint to Cert:\LocalMachine\My and Cert:\LocalMachine\Root and set this up as the SSL certificate on Default Web Site.

---

请注意，Chrome等现代浏览器会抱怨自签名算法中使用的算法很弱，并且没有第三方证书颁发机构（如GoDaddy等）可以确认有效性证书，因为它是自签名的，并且算法很弱。

PowerShell中的以下命令以管理员身份运行这将起到关键作用：

1.- We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256'  -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'

2.- We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256"

3.- We copy the thumbprint returned by the last command

4.- (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:3002

5.- We associate the new certificate with any ip and your port, 3002 in your case (the appid value is any valid guid):
netsh http add sslcert ipport=0.0.0.0:3002 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint

6.- Now, you must drag and drop the TestRootCA from Personal/Certificates folder to Trusted Root Certification Authorities/Certificates.

---

这些命令还解决了Google Chrome稍后返回的错误ERR_CERT_WEAK_SIGNATURE_算法，因为证书是用SHA256而不是SHA1创建的。错误消息完全正确。因为它不是一个合适的证书，所以没有可信的第三方来检查证书和身份。@I.tdelinkent Ok谢谢有其他免费解决方案吗？或者我将始终收到此消息？请查看LetsEncrypt:@I.tdelinkent-将证书安装到客户端计算机上受信任的根CAs文件夹通常应使其受信任。虽然我一直觉得它有点像一门黑术，但如果设置正确，它肯定可以与自签名证书一起使用。@user10863293-您是否在安装证书的机器上使用浏览器访问站点？您创建证书的主机名是什么？您使用什么url浏览站点？

1.- We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256'  -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'

2.- We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256"

3.- We copy the thumbprint returned by the last command

4.- (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:3002

5.- We associate the new certificate with any ip and your port, 3002 in your case (the appid value is any valid guid):
netsh http add sslcert ipport=0.0.0.0:3002 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint

6.- Now, you must drag and drop the TestRootCA from Personal/Certificates folder to Trusted Root Certification Authorities/Certificates.