我在 Azure 下有一个使用 SSL 绑定(bind)证书(已通过 Azure 门户生成)的 Web 应用程序。 我想使用 Azure Powershell 检索此 SSL 证书的公钥(PEM 文件)。我已成功使用 mycertificate.GetPublicKeyString() 函数在 C# 后台提取公钥,但我不知道如何在 PowerShell 下实现这一点。 你有什么想法吗?
非常感谢。
最佳答案
我写了一个脚本来做到这一点;除非它提取私钥。成功的关键是以 Pkcs8 格式导出您的公钥。如果您改用 GetRSAPublicKey,这应该会引导您导出公钥 PEM。
<#
FileName: pfx-2-pem.ps1
Author: rashadrivera.com
Description: This PowerShell script converts a PFX file into PEM format for use in WebPack's
Dev Server configurations. This script is an alternative to using the common
OpenSSL, open-source tool; which is an untrusted, unmaintained, security risk.
#>
param (
[Parameter(Mandatory=$true, HelpMessage="Path to your PFX file")]
[string] $pfxPath,
[Parameter(Mandatory=$false, HelpMessage="Optional PFX password")]
[string] $pfxPassword,
[Parameter(Mandatory=$false, HelpMessage="File path for certificate PEM export")]
[string] $certFile = ".\your.cer.as.pem",
[Parameter(Mandatory=$false, HelpMessage="Path to your private-key PEM export")]
[string] $pvkFile = ".\your.private-key.as.pem"
)
$IMPORT_PFX_EXPORT_OPTIONS = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$HAS_PASSWORD = -Not([System.String]::IsNullOrEmpty($pfxPassword))
function Main() {
[System.IO.Directory]::SetCurrentDirectory($(Get-Location))
_validateParameters
if (-NOT($HAS_PASSWORD)) {
# Ensure NULL instead of empty or white-space string
$pfxPassword = $null
}
$pfxAsCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($pfxPath, $pfxPassword, $IMPORT_PFX_EXPORT_OPTIONS)
_exportCertPEM $pfxAsCertificate $certFile
_exportPrivateKeyPEM $pfxAsCertificate $pvkFile
}
function _exportCertPEM([System.Security.Cryptography.X509Certificates.X509Certificate2]$pfx, [System.String] $outputPath) {
$base64CertText = [System.Convert]::ToBase64String($pfx.RawData, "InsertLineBreaks")
$out = New-Object String[] -ArgumentList 3
$out[0] = "-----BEGIN CERTIFICATE-----"
$out[1] = $base64CertText
$out[2] = "-----END CERTIFICATE-----"
[System.IO.File]::WriteAllLines($outputPath, $out)
}
function _exportPrivateKeyPEM([System.Security.Cryptography.X509Certificates.X509Certificate2]$pfx, [System.String] $outputPath) {
$key = _extractCngKeyFromCert $pfx
$base64CertText = [System.Convert]::ToBase64String($key.Export([System.Security.Cryptography.CngKeyBlobFormat]::Pkcs8PrivateBlob), "InsertLineBreaks");
$out = New-Object String[] -ArgumentList 3
$out[0] = "-----BEGIN PRIVATE KEY-----"
$out[1] = $base64CertText
$out[2] = "-----END PRIVATE KEY-----"
[System.IO.File]::WriteAllLines($outputPath,$out)
}
function _extractCngKeyFromCert([System.Security.Cryptography.X509Certificates.X509Certificate2]$pfx) {
$algorithmAsOidString = $pfx.GetKeyAlgorithm()
$algorithmAsOid = [System.Security.Cryptography.Oid]::new($algorithmAsOidString)
if ($algorithmAsOid.FriendlyName -eq "RSA") {
$rsa = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($pfx)
$rsaCng = ([System.Security.Cryptography.RSACng]$rsa)
return $rsaCng.Key
} elseif ($algorithmAsOid.FriendlyName -eq "ECC") {
$ecDsa = [System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions]::GetECDsaPrivateKey($pfx)
$ecDsaCng = ([System.Security.Cryptography.ECDsaCng]$ecDsa)
return $ecDsaCng.Key
} else {
throw "Certificate algorithm of '$algorithmAsOid.FriendlyName' is not supported"
}
}
function _validateFilePathString($path) {
try {
[System.IO.FileInfo]::new($path) > $null
} catch {
throw "File path '$path' is invalid: $PSItem.Exception.Message"
}
}
function _validateParameters() {
if (-Not([System.IO.File]::Exists($pfxPath))) {
throw "PFX file '$pfx' was not found"
}
try {
if ($HAS_PASSWORD) {
[System.Security.Cryptography.X509Certificates.X509Certificate2]::new($pfxPath, $pfxPassword, $IMPORT_PFX_EXPORT_OPTIONS) > $null
} else {
[System.Security.Cryptography.X509Certificates.X509Certificate2]::new($pfxPath, $null, $IMPORT_PFX_EXPORT_OPTIONS) > $null
}
} catch {
if ($hasPassword) {
throw "Source path of '$sourcePath' is not an X509 certificate file or the password specified is incorrect. Error: `r`n$PSItem.Exception.Message"
} else {
throw "Source path of '$sourcePath' is not an X509 certificate file OR a password is required. Error: `r`n$PSItem.Exception.Message"
}
}
_validateFilePathString($certFile)
_validateFilePathString($pvkFile)
}
Main
关于Azure PowerShell - 从 SSL 证书中提取 PEM,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52492644/