文章目录
前言
今天和大家分享怎么制作nt5src的driver.pfx(testroot)证书。
2020年10月的nt5src构建指南里面的“openssl.txt”是有问题的。
具体的制作过程如下
一、环境准备
1.操作系统
制作环境的操作系统推荐linux或mac(不建议用windows因为要安装openssl环境很麻烦V_V)。
我自己是用 centos 7.6 和 macOS 11都测试通过的,这两个系统都自带openssl不用折腾,而且openssl命令都是兼容的!
2.配置文件
选好了操作系统后,先编辑好4个配置文件“testroot.conf”、“testpca.conf”、“vbl03ca.conf”、“driver.conf”。以下是基于“win2003_prepatched_v10a”指南包的conf配置文件进行修改。具体修改如下:
2.1、testroot.conf
oid_section = xca_oids
[ xca_oids ]
dom = 1.3.6.1.4.1.311.20.2
MsCaV = 1.3.6.1.4.1.311.21.1
msEFSFR = 1.3.6.1.4.1.311.10.3.4.1
iKEIntermediate = 1.3.6.1.5.5.8.2.2
nameDistinguisher = 0.2.262.1.10.7.20
id-kp-eapOverPPP = 1.3.6.1.5.5.7.3.13
id-kp-eapOverLAN = 1.3.6.1.5.5.7.3.14[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = xca_dn0
x509_extensions = xca_extensions0
req_extensions = xca_extensions0
string_mask = MASK:0x2002
utf8 = yes
prompt = no[ ca ]
default_ca = testroot[ xca_dn0 ]
0.OU=Copyright (c) 1999 Microsoft Corp.
1.CN=Microsoft Test Root Authority
2.OU=Microsoft Corporation[ xca_extensions0 ]
certificatePolicies=ia5org,@certpol0_sect
authorityKeyIdentifier=keyid,issuer
subjectKeyIdentifier=hash
basicConstraints=critical,CA:TRUE[certpol0_sect]
policyIdentifier=1.3.6.1.4.1.311.10.3.5
userNotice.0=@certpol0_sect_notice0_sect[certpol0_sect_notice0_sect]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process. This certificate and drivers signed with this certificate are intended for use in test environments only, and are not intended for use in any other context. Vendors who distribute this certificate or drivers signed with this certificate outside a test environment may be in violation of their driver signing agreement. Vendors who have their drivers signed with this certificate do so at their own risk. In particular, Microsoft assumes no liability for any damages that may result from the distribution of this certificate or drivers signed with this certificate outside the test environment described in a vendors driver signing agreement.[ testroot ]
dir = testroot
certs = $dir
new_certs_dir = $dir/testroot.db.certs
database = $dir/testroot.db.index
serial = $dir/testroot.db.serial
RANDFILE = $dir/testroot.db.rand
certificate = $dir/testroot.pem
private_key = $dir/testroot.key
default_days = 3650
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy0[ generic_policy0 ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional[ sub_ca_ext ]
certificatePolicies=ia5org,@certpol1_sect
keyUsage=nonRepudiation, keyCertSign, cRLSign
authorityKeyIdentifier=keyid:always
subjectKeyIdentifier=hash
basicConstraints=critical,CA:TRUE[certpol1_sect]
policyIdentifier=1.3.6.1.4.1.311.10.3.7
userNotice.0=@certpol1_sect_notice1_sect[certpol1_sect_notice1_sect]
explicitText=This certificate is used to sign untested drivers that have not passed the Windows Hardware Quality Labs (WHQL) testing process.