使用 PowerShell 來產生並匯出點對站的憑證Generate and export certificates for Point-to-Site using PowerShell

點對站連線使用憑證進行驗證。Point-to-Site connections use certificates to authenticate. 本文說明如何使用 Windows 10 或 Windows Server 2016 中的 PowerShell 建立自我簽署的根憑證,以及產生用戶端憑證。This article shows you how to create a self-signed root certificate and generate client certificates using PowerShell on Windows 10 or Windows Server 2016. 如果您要尋找不同的憑證指示,請參閱憑證 - Linux憑證 - MakeCertIf you are looking for different certificate instructions, see Certificates - Linux or Certificates - MakeCert.

您必須在執行 Windows 10 或 Windows Server 2016 的電腦上執行本文中的步驟。You must perform the steps in this article on a computer running Windows 10 or Windows Server 2016. 用於產生憑證的 PowerShell Cmdlet 是作業系統的一部分,在其他 Windows 版本上無法運作。The PowerShell cmdlets that you use to generate certificates are part of the operating system and do not work on other versions of Windows. 因此,您需要 Windows 10 或 Windows Server 2016 電腦來產生憑證。The Windows 10 or Windows Server 2016 computer is only needed to generate the certificates. 產生憑證之後,您即可上傳憑證或將其安裝在任何支援的用戶端作業系統上。Once the certificates are generated, you can upload them, or install them on any supported client operating system.

如果您無法使用 Windows 10 或 Windows Server 2016 電腦,則可以使用 MakeCert 來產生憑證。If you do not have access to a Windows 10 or Windows Server 2016 computer, you can use MakeCert to generate certificates. 使用任一種方法所產生的憑證均可安裝在任何支援的用戶端作業系統上。The certificates that you generate using either method can be installed on any supported client operating system.

建立自我簽署根憑證Create a self-signed root certificate

您可以使用 New-SelfSignedCertificate Cmdlet 來建立自我簽署的根憑證。Use the New-SelfSignedCertificate cmdlet to create a self-signed root certificate. 如需其他的參數資訊,請參閱 New-SelfSignedCertificateFor additional parameter information, see New-SelfSignedCertificate.

  1. 從執行 Windows 10 或 Windows Server 2016 的電腦,以提高的權限開啟 Windows PowerShell 主控台。From a computer running Windows 10 or Windows Server 2016, open a Windows PowerShell console with elevated privileges. 這些範例無法在 Azure Cloud Shell 的「試試看」中運作。These examples do not work in the Azure Cloud Shell "Try It". 您必須在本機執行這些範例。You must run these examples locally.

  2. 使用下列範例建立自我簽署的根憑證。Use the following example to create the self-signed root certificate. 下列範例會建立名為 'P2SRootCert' 的自我簽署的根憑證,其自動安裝在 'Certificates-Current User\Personal\Certificates' 中。The following example creates a self-signed root certificate named 'P2SRootCert' that is automatically installed in 'Certificates-Current User\Personal\Certificates'. 您可以開啟 certmgr.msc 或 [管理使用者憑證] 來檢視憑證。You can view the certificate by opening certmgr.msc, or Manage User Certificates.

    使用 Cmdlet 登入 Connect-AzAccountSign in using the Connect-AzAccount cmdlet. 然後,執行下列範例,並進行任何必要的修改。Then, run the following example with any necessary modifications.

    $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
    -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
    
  3. 讓 PowerShell 主控台保持開啟,然後繼續進行下一個步驟,以產生用戶端憑證。Leave the PowerShell console open and proceed with the next steps to generate a client certificates.

產生用戶端憑證Generate a client certificate

每個使用點對站連線至 VNet 的用戶端電腦都必須安裝用戶端憑證。Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. 您可以從自我簽署根憑證產生用戶端憑證,然後匯出及安裝用戶端憑證。You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. 如果未安裝用戶端憑證,則驗證會失敗。If the client certificate is not installed, authentication fails.

下列步驟將逐步引導您完成從自我簽署的根憑證產生用戶端憑證。The following steps walk you through generating a client certificate from a self-signed root certificate. 您可以從相同根憑證產生多個用戶端憑證。You may generate multiple client certificates from the same root certificate. 當您使用下列步驟產生用戶端憑證時,用戶端憑證會自動安裝在您用來產生憑證的電腦上。When you generate client certificates using the steps below, the client certificate is automatically installed on the computer that you used to generate the certificate. 如果您想要在另一部用戶端電腦上安裝用戶端憑證,您可以匯出憑證。If you want to install a client certificate on another client computer, you can export the certificate.

此範例會使用 New-SelfSignedCertificate Cmdlet 來產生有效期為一年的用戶端憑證。The examples use the New-SelfSignedCertificate cmdlet to generate a client certificate that expires in one year. 如需其他的參數資訊 (例如針對用戶端憑證設定不同的到期值),請參閱 New-SelfSignedCertificateFor additional parameter information, such as setting a different expiration value for the client certificate, see New-SelfSignedCertificate.

範例 1-PowerShell 主控台會話仍開啟Example 1 - PowerShell console session still open

如果您在建立自我簽署根憑證後沒有關閉 PowerShell 主控台,請使用此範例。Use this example if you have not closed your PowerShell console after creating the self-signed root certificate. 此範例會從上一節的內容繼續,並使用宣告的 '$cert' 變數。This example continues from the previous section and uses the declared '$cert' variable. 如果您在建立自我簽署根憑證之後關閉 PowerShell 主控台,或是在新的 PowerShell 主控台會話中建立其他用戶端憑證,請使用 範例 2中的步驟。If you closed the PowerShell console after creating the self-signed root certificate, or are creating additional client certificates in a new PowerShell console session, use the steps in Example 2.

修改並執行範例以產生用戶端憑證。Modify and run the example to generate a client certificate. 如果您執行下列範例,但未加以修改,結果會是名為 'P2SChildCert' 的用戶端憑證。If you run the following example without modifying it, the result is a client certificate named 'P2SChildCert'. 如果您要將子憑證命名為其他名稱,請修改 CN 值。If you want to name the child certificate something else, modify the CN value. 執行這個範例時,請勿變更 TextExtension。Do not change the TextExtension when running this example. 您產生的用戶端憑證會自動安裝在您電腦的 'Certificates - Current User\Personal\Certificates' 中。The client certificate that you generate is automatically installed in 'Certificates - Current User\Personal\Certificates' on your computer.

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

範例 2-新增 PowerShell 主控台會話Example 2 - New PowerShell console session

如果您要建立其他用戶端憑證,或者不是使用您用來建立自我簽署根憑證的相同 PowerShell 工作階段,請使用下列步驟︰If you are creating additional client certificates, or are not using the same PowerShell session that you used to create your self-signed root certificate, use the following steps:

  1. 識別安裝在電腦上的自我簽署根憑證。Identify the self-signed root certificate that is installed on the computer. 此 Cmdlet 會傳回安裝於電腦上的憑證清單。This cmdlet returns a list of certificates that are installed on your computer.

    Get-ChildItem -Path "Cert:\CurrentUser\My"
    
  2. 從傳回的清單尋找主體名稱,然後將其旁邊的指紋複製到文字檔。Locate the subject name from the returned list, then copy the thumbprint that is located next to it to a text file. 在下列範例中,有兩個憑證。In the following example, there are two certificates. CN 名稱是您要從中產生子憑證之自我簽署根憑證的名稱。The CN name is the name of the self-signed root certificate from which you want to generate a child certificate. 在此例中為 'P2SRootCert'。In this case, 'P2SRootCert'.

    Thumbprint                                Subject
    
    AED812AD883826FF76B4D1D5A77B3C08EFA79F3F  CN=P2SChildCert4
    7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655  CN=P2SRootCert
    
  3. 使用上一個步驟中的指紋,為根憑證宣告一個變數。Declare a variable for the root certificate using the thumbprint from the previous step. 將 THUMBPRINT 替換為您要從中產生子憑證之根憑證的指紋。Replace THUMBPRINT with the thumbprint of the root certificate from which you want to generate a child certificate.

    $cert = Get-ChildItem -Path "Cert:\CurrentUser\My\THUMBPRINT"
    

    例如,使用上一個步驟中的 P2SRootCert 的指紋,變數會如下所示︰For example, using the thumbprint for P2SRootCert in the previous step, the variable looks like this:

    $cert = Get-ChildItem -Path "Cert:\CurrentUser\My\7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655"
    
  4. 修改並執行範例以產生用戶端憑證。Modify and run the example to generate a client certificate. 如果您執行下列範例,但未加以修改,結果會是名為 'P2SChildCert' 的用戶端憑證。If you run the following example without modifying it, the result is a client certificate named 'P2SChildCert'. 如果您要將子憑證命名為其他名稱,請修改 CN 值。If you want to name the child certificate something else, modify the CN value. 執行這個範例時,請勿變更 TextExtension。Do not change the TextExtension when running this example. 您產生的用戶端憑證會自動安裝在您電腦的 'Certificates - Current User\Personal\Certificates' 中。The client certificate that you generate is automatically installed in 'Certificates - Current User\Personal\Certificates' on your computer.

    New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
    -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
    -HashAlgorithm sha256 -KeyLength 2048 `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
    

匯出根憑證公開金鑰 (.cer)Export the root certificate public key (.cer)

建立自我簽署根憑證之後,請匯出根憑證公開金鑰.cer 檔案 (而非私密金鑰)。After creating a self-signed root certificate, export the root certificate public key .cer file (not the private key). 您稍後會將此檔案上傳至 Azure。You will later upload this file to Azure. 下列步驟可協助您匯出自我簽署根憑證的 .cer 檔案:The following steps help you export the .cer file for your self-signed root certificate:

  1. 若要取得憑證的 .cer 檔案,請開啟 [管理使用者憑證]。To obtain a .cer file from the certificate, open Manage user certificates. 找出自我簽署的根憑證,通常位於 '[憑證 - 目前的使用者][個人][憑證]' 中,然後按一下滑鼠右鍵。Locate the self-signed root certificate, typically in 'Certificates - Current User\Personal\Certificates', and right-click. 按一下 [所有工作],然後按一下 [匯出]。Click All Tasks , and then click Export. 這會開啟 [憑證匯出精靈] 。This opens the Certificate Export Wizard. 若您在 Current User\Personal\Certificates 下找不到憑證,您可能已意外開啟 [憑證 - 本機電腦],而非 [憑證 - 目前使用者]。If you can't find the certificate under Current User\Personal\Certificates, you may have accidentally opened "Certificates - Local Computer", rather than "Certificates - Current User"). 若要使用 PowerShell 在目前使用者範圍開啟 [憑證管理員],您必須在主控台視窗中輸入 certmgrIf you want to open Certificate Manager in current user scope using PowerShell, you type certmgr in the console window.

    螢幕擷取畫面顯示已選取憑證之目前使用者的 [憑證] 視窗,以及已從所有工作選取 [匯出] 的內容功能表。

  2. 在精靈中按 [下一步]。In the Wizard, click Next.

    匯出憑證

  3. 選取 [否,不要匯出私密金鑰],然後按 [下一步]。Select No, do not export the private key , and then click Next.

    不要匯出私密金鑰

  4. 在 [匯出檔案格式] 頁面上,選取 [Base-64 編碼 X.509 (.CER)],然後按 [下一步]。On the Export File Format page, select Base-64 encoded X.509 (.CER). , and then click Next.

    Base-64 編碼

  5. 針對 [要匯出的檔案],[瀏覽] 至您要匯出憑證的位置。For File to Export , Browse to the location to which you want to export the certificate. 針對 [檔案名稱] ,請為憑證檔案命名。For File name , name the certificate file. 然後按 [下一步] 。Then, click Next.

    螢幕擷取畫面顯示 [憑證匯出嚮導] 的 [檔案名] 文字方塊和 [流覽] 選項。

  6. 按一下 [完成] 匯出憑證。Click Finish to export the certificate.

    螢幕擷取畫面顯示具有所選取設定的憑證匯出嚮導。

  7. 已成功匯出您的憑證。Your certificate is successfully exported.

    螢幕擷取畫面顯示匯出成功的訊息。

  8. 匯出的憑證如下所示:The exported certificate looks similar to this:

    螢幕擷取畫面顯示憑證圖示和副檔名為 c e r 的檔案名。

  9. 如果您使用「記事本」開啟匯出的憑證,您會看到類似於此範例的內容。If you open the exported certificate using Notepad, you see something similar to this example. 以藍色標示的部分包含上傳至 Azure 的資訊。The section in blue contains the information that is uploaded to Azure. 如果您使用「記事本」開啟您的憑證,但並未顯示這樣的內容,這通常表示您未使用 Base-64 編碼 X.509 (.CER) 格式加以匯出。If you open your certificate with Notepad and it does not look similar to this, typically this means you did not export it using the Base-64 encoded X.509(.CER) format. 此外,如果您想要使用不同的文字編輯器,請了解某些編輯器可能會在背景中導入非預期的格式。Additionally, if you want to use a different text editor, understand that some editors can introduce unintended formatting in the background. 這可能會在此憑證中的文字上傳至 Azure 時產生問題。This can create problems when uploaded the text from this certificate to Azure.

    使用記事本開啟

匯出自我簽署根憑證和私密金鑰來儲存它 (選擇性)Export the self-signed root certificate and private key to store it (optional)

您可能想要匯出自我簽署的根憑證,並將它安全地儲存作為備份。You may want to export the self-signed root certificate and store it safely as backup. 如有需要,您可以稍後在另一部電腦上安裝這個自我簽署憑證,然後產生更多用戶端憑證。If need be, you can later install it on another computer and generate more client certificates. 若要將自我簽署的根憑證匯出為 .pfx,請選取根憑證,然後使用與匯出用戶端憑證所述的相同步驟來匯出。To export the self-signed root certificate as a .pfx, select the root certificate and use the same steps as described in Export a client certificate.

匯出用戶端憑證Export the client certificate

當您產生用戶端憑證時,它會自動安裝於您用來產生它的電腦上。When you generate a client certificate, it's automatically installed on the computer that you used to generate it. 如果您想要在另一部用戶端電腦上安裝用戶端憑證,您必須匯出您所產生的用戶端憑證。If you want to install the client certificate on another client computer, you need to export the client certificate that you generated.

  1. 若要匯出用戶端憑證,請開啟 [管理使用者憑證]。To export a client certificate, open Manage user certificates. 根據預設,您產生的用戶端憑證位於 'Certificates - Current User\Personal\Certificates'。The client certificates that you generated are, by default, located in 'Certificates - Current User\Personal\Certificates'. 以滑鼠右鍵按一下您要匯出的用戶端憑證,按一下 [ 所有 工作],然後按一下 [ 匯出 ] 以開啟 [ 憑證匯出嚮導]Right-click the client certificate that you want to export, click all tasks , and then click Export to open the Certificate Export Wizard.

    螢幕擷取畫面:顯示目前使用者的 [憑證] 視窗,其中選取了 [憑證] 和 [從所有工作選取匯出]。

  2. 在 [憑證匯出精靈] 中,按 [下一步] 繼續作業。In the Certificate Export Wizard, click Next to continue.

    螢幕擷取畫面顯示「憑證匯出嚮導」歡迎使用訊息。

  3. 選取 [是,匯出私密金鑰],然後按 [下一步]。Select Yes, export the private key , and then click Next.

    匯出私密金鑰

  4. 在 [匯出檔案格式] 頁面上,保留選取預設值。On the Export File Format page, leave the defaults selected. 務必選取 [如果可能的話,包含憑證路徑中的所有憑證]。Make sure that Include all certificates in the certification path if possible is selected. 此設定會額外匯出成功的用戶端驗證所需的根憑證資訊。This setting additionally exports the root certificate information that is required for successful client authentication. 若缺少這項資訊,用戶端驗證即會因為用戶端沒有信任的根憑證而失敗。Without it, client authentication fails because the client doesn't have the trusted root certificate. 然後按 [下一步] 。Then, click Next.

    匯出檔案格式

  5. 在 [安全性] 頁面上,您必須保護私密金鑰。On the Security page, you must protect the private key. 如果您選取要使用密碼,請務必記錄或牢記您為此憑證設定的密碼。If you select to use a password, make sure to record or remember the password that you set for this certificate. 然後按 [下一步] 。Then, click Next.

    螢幕擷取畫面顯示 [憑證匯出嚮導] 安全性頁面,其中包含輸入並確認的密碼,並在下一個反白顯示。

  6. 在 [要匯出的檔案] 中,[瀏覽] 到您要匯出憑證的位置。On the File to Export , Browse to the location to which you want to export the certificate. 針對 [檔案名稱] ,請為憑證檔案命名。For File name , name the certificate file. 然後按 [下一步] 。Then, click Next.

    要匯出的檔案

  7. 按一下 [完成] 匯出憑證。Click Finish to export the certificate.

    螢幕擷取畫面顯示具有所輸入設定的憑證匯出 Wizard。

安裝匯出的用戶端憑證Install an exported client certificate

透過 P2S 連線連接至 VNet 的每個用戶端都需要以本機方式安裝用戶端憑證。Each client that connects to the VNet over a P2S connection requires a client certificate to be installed locally.

若要安裝用戶端憑證,請參閱安裝點對站連線的用戶端憑證To install a client certificate, see Install a client certificate for Point-to-Site connections.

後續步驟Next steps

繼續使用您的點對站設定。Continue with your Point-to-Site configuration.