You can create them through IIS but that's a pain (they are only valid for a year) and from Server 2012 R2 onwards, ADFS does not run on IIS so you are installing IIS simply for certificate creation?
I used to use the magic SelfSSL7 but that requires .NET 3.5 which isn't there by default on Server 2012 and upwards. (You could always install it as a role / feature).
So now I use "makecert".
Brock has blogged on this: makecert and creating ssl or signing certificates and also
Generating and using a certificate to authorise Azure Automation.
On Windows 8, you'll find makecert inside "Visual Studio Tools" / "Developer Command Prompt for VS2013". Remember to run as Admin.
We see:
C:\>makecert -?
Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Basic Options
-skSubject's key container name; To be created if not present
-pe Mark generated private key as exportable
-ssSubject's certificate store name that stores the output
certificate
-srSubject's certificate store location.
. Default to 'CurrentUser'
-#Serial Number from 1 to 2^31-1. Default to be unique
-$The signing authority of the certificate
-nCertificate subject X500 name (eg: CN=Fred Dews)
-? Return a list of basic options
-! Return a list of extended options
C:\>makecert -!
Usage: MakeCert [ basic|extended options] [outputCertificateFile]so Brock's:
Extended Options
-tbsCertificate or CRL file to be signed
-scSubject's certificate file
-svSubject's PVK file; To be created if not present
-icIssuer's certificate file
-ikIssuer's key container name
-ivIssuer's PVK file
-isIssuer's certificate store name.
-irIssuer's certificate store location
. Default to 'CurrentUser'
-inIssuer's certificate common name.(eg: Fred Dews)
-aThe signature's digest algorithm.
. Default to 'sha1'
-ipIssuer's CryptoAPI provider's name
-iyIssuer's CryptoAPI provider's type
-spSubject's CryptoAPI provider's name
-sySubject's CryptoAPI provider's type
-ikyIssuer key type
>.
-skySubject key type
>.
-l Link to the policy information (such as a URL)
-cyCertificate types
-bStart of the validity period; default to now.
-mThe number of months for the cert validity period
-eEnd of validity period; defaults to 2039
-hMax height of the tree below this cert
-lenGenerated Key Length (Bits)
Default to '2048' for 'RSA' and '512' for 'DSS'
-r Create a self signed certificate
-nscp Include Netscape client auth extension
-crl Generate a CRL instead of a certificate
-eku]> Comma separated enhanced key usage OIDs
-? Return a list of basic options
-! Return a list of extended options
-r = Self-signedmakecert -r -pe -n "CN=%1" -b 01/01/2015 -e 01/01/2020 -eku 1.3.6.1.5.5.7.3.1-sky exchange -a sha256 -len 2048 -ss my -sr localMachine
-pe = Mark generated private key as exportable
-n = Certificate subject X500 name
-b = Start of the validity period
-e = End of validity period
-eku = Comma separated enhanced key usage OID
-sky = Subject key type
-a = The signature's digest algorithm
-len = Generated Key Length (Bits)
-ss = Subject's certificate store name that stores the output certificate
-sr = Subject's certificate store location
I've never used the -eku option,
As per the other link:
makecert.exe -sky exchange -r -n "CN=your certificate's name" -pe -a sha256-len 2048 -ss My "your certificate's name.cer"
Enjoy!
No comments:
Post a Comment