英文:
How does Windows calculate alias names for certificates exported into PFX files?
问题
我有一个应用程序,它导入存储在PFX文件中的一个证书,并要求用户提供要导入的唯一证书的别名。一些用户使用Windows证书存储来维护他们的证书,并将它们从那里导出到PFX文件中,然后希望将这些文件上传到我的应用程序中。证书可以手动导出,使用 certmgr.msc 或使用一些Powershell脚本,比如 Export-PfxCertificate。
问题在于,两种方式生成的别名似乎是不可预测的GUID或类似的东西。然而,反复导出相同的证书时,别名是稳定的,似乎根本不会改变。另一方面,在证书存储中应用某些别名并导出使用它似乎不那么容易,Windows仍然会生成类似GUID的内容。此外,我没有看到任何参数可以用于 Export-PfxCertificate 来指定自定义别名。
对于不同的测试证书,别名甚至看起来稍有不同:
certutil 提供了类似的输出:
那么,Windows如何计算该别名?有没有办法在导出时提供自定义别名?
英文:
I have an app which imports one certificate stored in a PFX file and requires users to provide the alias of the one and only certificate to import. Some users maintain their certificates using the Windows cert store and export them from there into PFX files and want to upload those files into my app in the end. Certs are exported either manually using certmgr.msc or e.g. using some Powershell script using Export-PfxCertificate.
The problem is that alias names generated in both ways seem to be unpredictable GUIDs or something. Though, when exporting the same certificate over and over again, the alias name is stable and doesn't seem to change at all. OTOH, it doesn't seem to be that easy to apply some alias name in the cert store and export using that, Windows still generates something looking like a GUID. Additionally, I don't see any argument to Export-PfxCertificate to specify a custom alias name.
C:\Users\tschoening>keytool -v -list -storetype pkcs12 -keystore Desktop\tschoening_ps.pfx
Keystore-Kennwort eingeben:
Keystore-Typ: PKCS12
Keystore-Provider: SUN
Keystore enthält 1 Eintrag
Aliasname: 2fb763d2-f1fa-4820-8caf-f73e011ee4d1
For different tested certificates the alias even looks slightly different:
Aliasname: {a16a26b0-7d2e-4366-95b9-40f06b45b578}
certutil provides similar output:
C:\Users\tschoening>certutil -v -dumpPFX Desktop\tschoening.pfx
[...]
Attribut[1]: 1.2.840.113549.1.9.20 (szOID_PKCS_12_FRIENDLY_NAME_ATTR)
Wert [1][0], Länge = 4a
CryptFormatObject: Keine integrierte Formatierungshilfe
2fb763d2-f1fa-4820-8caf-f73e011ee4d1
0000 1e 48 00 32 00 66 00 62 00 37 00 36 00 33 00 64 .H.2.f.b.7.6.3.d
0010 00 32 00 2d 00 66 00 31 00 66 00 61 00 2d 00 34 .2.-.f.1.f.a.-.4
0020 00 38 00 32 00 30 00 2d 00 38 00 63 00 61 00 66 .8.2.0.-.8.c.a.f
0030 00 2d 00 66 00 37 00 33 00 65 00 30 00 31 00 31 .-.f.7.3.e.0.1.1
0040 00 65 00 65 00 34 00 64 00 31 .e.e.4.d.1
0000: 1e 48 ; UNICODE_STRING (48 Bytes)
0002: 00 32 00 66 00 62 00 37 00 36 00 33 00 64 00 32 ; .2.f.b.7.6.3.d.2
0012: 00 2d 00 66 00 31 00 66 00 61 00 2d 00 34 00 38 ; .-.f.1.f.a.-.4.8
0022: 00 32 00 30 00 2d 00 38 00 63 00 61 00 66 00 2d ; .2.0.-.8.c.a.f.-
0032: 00 66 00 37 00 33 00 65 00 30 00 31 00 31 00 65 ; .f.7.3.e.0.1.1.e
0042: 00 65 00 34 00 64 00 31 ; .e.4.d.1
; "2fb763d2-f1fa-4820-8caf-f73e011ee4d1"
So, how does Windows calculate that alias? Is there any way to provide a custom alias during export?
答案1
得分: 1
The alias is generated from the key's unique identifier:
$CertObject = Get-ChildItem .CEF3D48F1287173401CE1B189C161F46585F1F
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertObject)
$rsaCert.key.KeyName
{6E9844BC-51A1-408E-A421-2D53B253C8B4}
Obviously, the values will be different for you.
As far as I know, the only way to change it would be to use some third-party tool such as OpenSSL.
英文:
The alias is generated from the key's unique identifier:
$CertObject = Get-ChildItem .CEF3D48F1287173401CE1B189C161F46585F1F
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertObject)
$rsaCert.key.KeyName
{6E9844BC-51A1-408E-A421-2D53B253C8B4}
Obviously, the values will be different for you.
As far as I know, the only way to change it would be to use some third-party tool such as OpenSSL.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论