About Certificate-how to obtain a certificate

I have seen many friends who have installed the IIS-based certificate application site on the server of AD CS to facilitate certificate application when building the POC environment or even the production environment.

Although the current IIS is much safer than the previous one, you can install IIS on the Active Directory Server...

First, let's talk about how to obtain the certificate.

650) This. width = 650; "Title =" image "style =" border-left-0px; border-right-width: 0px; Background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; padding-Right: 0px; border-top-width: 0px "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201410/13/2474833_1413229226Hf4b.png "width =" 564 "Height =" 254 "/>

The world has developed to this day, not only windows, Apple's Mac, IOS, Android, but also certificates. Each system uses a secure method to save certificates. As we mentioned above, the certificate is the private key of the public key. Therefore, Apple uses keychain and Android uses keystore to save the private key of the public key.

If you have applied for a certificate, remember to first generate a certificate request (CSR) and then submit the request to the ca. After the CA approves the request, generate a certificate, then, you can export the certificate as a CER file and complete the certificate application on the device that generated the certificate request.

In fact, the process is a little more complicated.

First, the client that needs to generate the certificate request actually generates a public key and private key (remember what we said? The private key is unique and matched in pairs. The private key is saved to the strictly protected key store immediately. Generally, the private key is not allowed to be accessed by other methods except the generated certificate.

Then, the client generates a CSR file for the public key and required certificate information. Remember that the private key will never be used to apply for a certificate.

After obtaining the CSR request, the CA can follow the policy and approve it by the administrator or automatically generate a certificate. This certificate is signed using the CA certificate, and at least contains the three elements of the certificate, CA information, and certificate validity period (usually determined based on the certificate template) and to whom it is issued (that is, the subject application information we provide when submitting the CSR, such as the server FQDN ).

After the certificate is imported from the client, the client can use the private key.

 

Let's go back to the previous question. Do I have to use the IIS-based certsvc site to apply for a certificate?

 

Of course not.

We can use the certreq.exe command line to solve this problem.

This tool supports applying for and importing certificates through command line. Most importantly, this Toolkit is included in the Windows operating system. For specific command lines, refer:

Http://technet.microsoft.com/library/cc725793.aspx

Also, a set of parameters can be used as an INF file and provided to the command line. In this way, for certificate requests with the same requirements, you no longer need to enter lengthy command line parameters each time.

 

Based on this command line, I used a script to write a tool for generating CSR, importing CER, and exporting pfx. The format of these certificate files will be introduced later.

The first step of this tool is to generate a CSR certificate request.

650) This. width = 650; "Title =" image "style =" border-left-0px; border-right-width: 0px; Background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; padding-Right: 0px; border-top-width: 0px "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201410/13/2474833_1413229227oMDe.png "width =" 355 "Height =" 239 "/>

Then, you can send the certificate request to the intermediate administrator for signature.

650) This. width = 650; "Title =" image "style =" border-left-0px; border-right-width: 0px; Background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; padding-Right: 0px; border-top-width: 0px "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201410/13/2474833_1413229227cUjv.png "width =" 354 "Height =" 238 "/>

A signed certificate request is sent to Apple to apply for an apns certificate.

650) This. width = 650; "Title =" image "style =" border-left-0px; border-right-width: 0px; Background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; padding-Right: 0px; border-top-width: 0px "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201410/13/2474833_1413229228u9Pn.png "width =" 357 "Height =" 241 "/>

After receiving the certificate, you can import it and export the public key and Private Key together as a pfx file.

650) This. width = 650; "Title =" image "style =" border-left-0px; border-right-width: 0px; Background-image: none; border-bottom-width: 0px; padding-top: 0px; padding-left: 0px; padding-Right: 0px; border-top-width: 0px "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201410/13/2474833_1413229228xnYk.png "width =" 359 "Height =" 242 "/>

Of course, you can also directly submit the CSR to the self-built CA to issue the certificate.

about certificate -- how to obtain a certificate