Shulou(Shulou.com)06/01 Report--

I have seen many friends install IIS-based certificate application sites on AD CS servers in order to facilitate the application of certificates when setting up PoC environment or even production environment.

Although IIS is much more secure than it used to be, install IIS on the AD server.

First of all, let's talk about how to get a certificate.

With the development of the world today, not only Windows, Apple's Mac and iOS, Android, all need to use certificates. Each system actually uses a secure way to save certificates. As we said earlier, certificates are public and private keys, so Apple uses KeyChain and Android uses KeyStore to keep public and private keys.

If you have ever applied for a certificate, remember to first generate a certificate request (CSR), then submit the certificate request to CA,CA for approval to generate a certificate, and then export the certificate as an CER file to complete the certificate request on the device that generated the certificate request.

In fact, behind this, the process is a little more complicated.

The client that first needs to generate a certificate request actually generates a public key and a private key (remember what we said? The public and private keys are unique and matched in pairs), and the private key is immediately saved to a strictly protected Key Store store, which usually does not allow access to the private key other than the generated certificate.

Then, the client generates a CSR file with the public key and the required certificate information. Keep in mind that the private key will never be used to request a certificate.

After the CA obtains the CSR request, it can generate a certificate according to the policy, approved by the administrator or automatically allowed. This certificate is signed using CA's certificate and will contain at least the three elements of the certificate we mentioned earlier, the information of the CA, the validity period of the certificate (often determined according to the certificate template), and to whom (that is, the Subject request information provided when we submit the CSR, such as the FQDN of the server).

After the certificate is imported by the client, the client can use the private key.

Let's go back to the first question, is it necessary to use an IIS-based certsvc site to apply for a certificate?

Of course not.

We can use the certreq.exe command line to solve this problem.

This tool supports command-line application and import of certificates. Most crucially, this tool is included in the Windows operating system. For specific command lines, please refer to:

Http://technet.microsoft.com/library/cc725793.aspx

Another great thing is that you can provide a set of parameters as an inf file to the command line. In this way, for certificate requests with the same requirements, you no longer need to enter lengthy command-line parameters each time.

Based on this command line, I used a script to write a tool for generating CSR for certificates and importing CER and then exporting PFX. The format of these certificate files will be introduced later.

The first step of this tool is to generate an CSR certificate request.

The certificate request can then be sent to the intermediate administrator for signature.

A signed certificate request is sent to Apple to request an APNS certificate.

Once the certificate is received, it can be imported, and the public key and private key can be exported together as a PFX file.

Of course, you can also submit the CSR directly to the self-built CA for certificate issuance.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.