https://docs.microsoft.com/zh-cn/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
1.创建根证书
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256-KeyLength2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign -KeyUsage CertSign
2.获取证书引用(可选步骤)
将下面的THUMBPRINT
替换成所需证书的“指纹”字符串,这个字符串可以从证书详细信息中找到。
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My\THUMBPRINT"
具体如:
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My\AED812AD883826FF7O14D1D5A77B3C08EFA79F3F"
3.用根证书签名新的客户端证书
New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
-CertStoreLocation 参数 (仅两个选项)
- -CertStoreLocation “cert:\LocalMachine\My”
- -CertStoreLocation “Cert:\CurrentUser\My”