如何在提供certreq.exe和SAN属性的同时使用CertificateTemplate来签署CSR？

Question

欢迎大家！

我目前正试图使用Powershell和certreq.exe严格地自动化内部。此时，我能够创建有效的证书，但是-attrib选项给我带来了一些麻烦。

我将自动创建的CSR发送到我的CA，并获得一个有效的证书，但它缺少前3个SAN条目IPAddress=$iLOIP&DNS=$iLOIP&DNS=$hostname。然而，最后一个(DNS=iLOFQDN)是存在的。我--我用的是这个命令：

certreq.exe -submit -config $certificateserver -attrib "CertificateTemplate:$certificatetemplate\nsan:IPAddress=$iLOIP&DNS=$iLOIP&DNS=$hostname&DNS=$iLOFQDN" "$scriptpath\currentcsr.txt" "$scriptpath\currentcert.cer"

我不确定语法，奇怪的是，没有CertificateTemplate:$certificatetemplate和SAN:之间的SAN:，它就不能工作。我在谷歌搜索这个问题时发现了这个问题，但它并没有为我解决所有问题。

不幸的是，我没有办法使用.inf文件，在那里我可以输入SAN条目.

现在来问我的问题:在-attrib字段中使用的正确语法是什么？有可能不指定模板吗？我是不是把事情搞得太复杂了，而且已经有了一个工具来完成这一切呢？

Answer 1

继续我的评论，这里有一个预构建的PowerShell脚本来请求SAN。

powershell请求SAN证书

使用Powershell的SAN证书-带导入/导出 此脚本使用powershell创建带有SAN (Subject Alternative Name)的证书，向CA提交带有特定web服务器模板的请求，并相应地向服务器/工作站发出请求。更新以允许通配符CNs。 下载: New-CACertificate.ps1

<# 
 
.SYNOPSIS 
Script to ease the pain of creating/submitting/automating the process of creating a certificate for on-prem CA 
 
.DESCRIPTION 
Required Variables: Subject, Exportable, SAN1, Template. Up to 5 SANs can be included in this script. More can be added if desired. User must have privileges to submit / create certificate template.  
 
.EXAMPLE 
./get-certificate-inf.ps1 -Subject contoso.com -Exportable $false -Template Server -SAN1 contoso.com -SAN2 www.contoso.com -SAN3 devsite.constoso.com 
 
.NOTES 
Variables that Require user modification to the script: See "Subject Variables" Section. 
 
#> 
 
 
[CmdletBinding()] 
Param( 
[Parameter(Mandatory=$True)] 
[string]$Subject, 
 
[Parameter(Mandatory=$True)] 
[string]$Exportable, 
 
[Parameter(Mandatory=$True)] 
[string]$SAN1, 
 
[Parameter(Mandatory=$False)] 
[string]$SAN2, 
 
[Parameter(Mandatory=$False)] 
[string]$SAN3, 
 
[Parameter(Mandatory=$False)] 
[string]$SAN4, 
 
[Parameter(Mandatory=$False)] 
[string]$SAN5, 
 
[Parameter(Mandatory=$True)] 
[string]$Template 
 
) 
$ErrorActionPreference = 'Inquire' 
 
## Gathering Logic for SAN 
$SAN = '' 
if ($SAN2) 
{ 
    $SAN +="&dns=$SAN2" 
} 
else{} 
 
if ($SAN3) 
{ 
    $SAN +="&dns=$SAN3" 
} 
else{} 
 
if ($SAN4) 
{ 
    $SAN +="&dns=$SAN4" 
} 
else{} 
 
if ($SAN5) 
{ 
    $SAN +="&dns=$SAN5" 
} 
else{} 
 
$FullSAN ="{text}dns=$SAN1$SAN" 
 
## Required Because Powershell interprets $Windows as a variable not a string 
$Windows = '$Windows' 
 
$inputfiletemplate = @" 
[Version]  
Signature="$Windows NT$" 
 
##Enter Subject Variables Here and uncomment: 
# $O = [organization] 
# $OU = [Organizational Unit] 
# $E = [email] 
# $L = [locality] 
# $ST = [state] 
# $C = [country] 
 
[NewRequest]  
Subject = "CN=$Subject, O=$O, OU=$OU, E=$E, L=$L, ST=$ST, C=$C"   ; For a wildcard use "CN=*.CONTOSO.COM" for example 
Exportable = $Exportable                  ; Private key is not exportable  
KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384  
KeySpec = 1                         ; AT_KEYEXCHANGE  
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment  
MachineKeySet = True                ; The key belongs to the local computer account  
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"  
ProviderType = 12  
SMIME = FALSE  
RequestType = CMC 
 
; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below 
 
[Strings]  
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"  
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"  
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"  
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2" 
 
[Extensions]  
%szOID_SUBJECT_ALT_NAME2% = "$FullSAN"  
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%" 
 
[RequestAttributes]  
CertificateTemplate=$Template 
"@ 
 
### Gathering Certificate information ### 
 
$filename = $Subject.Substring(0,3) 
 
### Make allowance for wildcard CNs 
 
    if ($filename -like "*") 
        { 
            Write-Host "Hang on...have to create a new filename..." 
            $filename = (-join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_})) 
        } 
        else  
        { 
        #Do Nothing     
        } 
 
$inputfiletemplate | Out-File "$filename.inf" 
 
Write-Host "Generating request" 
 
### End of Gathering Certificate information ### 
 
# Using Certreq to request a new certificate with information file and request 
& "C:\Windows\System32\certreq.exe" "-new" "$filename.inf" "$filename.req" 
 
# Submitting Request to CA with request and saving file as a .cer 
Write-Host "Submitting request to CA" 
& "C:\Windows\System32\certreq.exe" "-submit" "$filename.req" "$filename.cer" 
 
# Accepting the certificate from SubCA 
& "C:\Windows\System32\certreq.exe" "-accept" "$filename.cer" 
Write-Host "Certificate Imported Successfully" 
 
# File cleanup 
Write-Host "Cleaning up files generated" 
Remove-Item "$filename.*" -Force 
 
# Asking if you would like to export the certificate  
if ($Exportable -eq $TRUE) 
{ 
    if((Read-Host -Prompt "Do you want to export the certificate? Y\N") -eq "y"){ 
#Show certifiate store  
Write-Host "Fetching Certificates in store for you..." 
get-childitem -Path Cert:\LocalMachine\my | Format-list subject,thumbprint 
 
#Ask user to copy thumbprint to console 
Write-Host "Please copy the thumbprint to export" 
$thumbprint = Read-Host -Prompt "Please paste the desired thumbprint here" 
 
#Export certificate with password 
get-childitem -Path Cert:\LocalMachine\my\$thumbprint | Export-PfxCertificate -Password (read-host -Prompt "Please type your password" -AsSecureString) -ChainOption EndEntityCertOnly -NoClobber -FilePath (read-host -Prompt "Give the PFX a filename with .pfx") 
"`nExport Successful... 'till next time." 
    } 
} 
else 
{ 
    "Mission Complete!" 
}