使用 MakeCert 來產生並匯出點對站連線的憑證Generate and export certificates for Point-to-Site connections using MakeCert

點對站連線使用憑證進行驗證。Point-to-Site connections use certificates to authenticate. 本文說明如何建立自我簽署的根憑證,以及使用 MakeCert 來產生用戶端憑證。This article shows you how to create a self-signed root certificate and generate client certificates using MakeCert. 如果您要尋找不同的憑證指示,請參閱憑證 - PowerShell憑證 - LinuxIf you are looking for different certificate instructions, see Certificates - PowerShell or Certificates - Linux.

雖然建議您使用 Windows 10 PowerShell 步驟建立您的憑證,但是提供這些 MakeCert 指示作為選擇性方法。While we recommend using the Windows 10 PowerShell steps to create your certificates, we provide these MakeCert instructions as an optional method. 使用任一種方法所產生的憑證可以安裝在 任何支援的用戶端作業系統上。The certificates that you generate using either method can be installed on any supported client operating system. 不過,MakeCert 具有下列限制:However, MakeCert has the following limitation:

  • MakeCert 已被取代。MakeCert is deprecated. 這表示無法在任何時間點移除這項工具。This means that this tool could be removed at any point. 當無法再使用 MakeCert 時,任何您已經使用 MakeCert 所產生的憑證將不會受到影響。Any certificates that you already generated using MakeCert won't be affected when MakeCert is no longer available. MakeCert 只用來產生憑證,而不是驗證機制。MakeCert is only used to generate the certificates, not as a validating mechanism.

建立自我簽署根憑證Create a self-signed root certificate

下列步驟說明如何使用 MakeCert 來建立自我簽署憑證。The following steps show you how to create a self-signed certificate using MakeCert. 這些並非部署模型特定的步驟。These steps are not deployment-model specific. 它們同樣適用於資源管理員和傳統部署模型。They are valid for both Resource Manager and classic.

  1. 下載並安裝 MakeCertDownload and install MakeCert.

  2. 安裝之後,您通常可以在此路徑下找到 makecert.exe 公用程式:「C:\Program Files (x86) \Windows Kits\10\bin」 <arch> 。After installation, you can typically find the makecert.exe utility under this path: 'C:\Program Files (x86)\Windows Kits\10\bin<arch>'. 雖然,它有可能已安裝到另一個位置。Although, it's possible that it was installed to another location. 以系統管理員身分開啟命令提示字元,然後瀏覽至 MakeCert 公用程式的位置。Open a command prompt as administrator and navigate to the location of the MakeCert utility. 您可以使用下列範例,並針對適當的位置進行調整:You can use the following example, adjusting for the proper location:

    cd C:\Program Files (x86)\Windows Kits\10\bin\x64
    
  3. 在您電腦上的 [個人] 憑證存放區中建立並安裝憑證。Create and install a certificate in the Personal certificate store on your computer. 下列範例會建立對應的 .cer 檔案,您在設定 P2S 時會將此檔案上傳至 Azure。The following example creates a corresponding .cer file that you upload to Azure when configuring P2S. 將 'P2SRootCert' 和 'P2SRootCert.cer' 取代為您想使用的憑證名稱。Replace 'P2SRootCert' and 'P2SRootCert.cer' with the name that you want to use for the certificate. 憑證位於您的 '[憑證 - 目前的使用者][個人][憑證]' 中。The certificate is located in your 'Certificates - Current User\Personal\Certificates'.

    makecert -sky exchange -r -n "CN=P2SRootCert" -pe -a sha256 -len 2048 -ss My
    

匯出公開金鑰 (.cer)Export the public key (.cer)

建立自我簽署根憑證之後,請匯出根憑證公開金鑰.cer 檔案 (而非私密金鑰)。After creating a self-signed root certificate, export the root certificate public key .cer file (not the private key). 您稍後會將此檔案上傳至 Azure。You will later upload this file to Azure. 下列步驟可協助您匯出自我簽署根憑證的 .cer 檔案:The following steps help you export the .cer file for your self-signed root certificate:

  1. 若要取得憑證的 .cer 檔案,請開啟 [管理使用者憑證]。To obtain a .cer file from the certificate, open Manage user certificates. 找出自我簽署的根憑證,通常位於 '[憑證 - 目前的使用者][個人][憑證]' 中,然後按一下滑鼠右鍵。Locate the self-signed root certificate, typically in 'Certificates - Current User\Personal\Certificates', and right-click. 按一下 [所有工作],然後按一下 [匯出]。Click All Tasks , and then click Export. 這會開啟 [憑證匯出精靈] 。This opens the Certificate Export Wizard. 若您在 Current User\Personal\Certificates 下找不到憑證,您可能已意外開啟 [憑證 - 本機電腦],而非 [憑證 - 目前使用者]。If you can't find the certificate under Current User\Personal\Certificates, you may have accidentally opened "Certificates - Local Computer", rather than "Certificates - Current User"). 若要使用 PowerShell 在目前使用者範圍開啟 [憑證管理員],您必須在主控台視窗中輸入 certmgrIf you want to open Certificate Manager in current user scope using PowerShell, you type certmgr in the console window.

    螢幕擷取畫面顯示已選取憑證之目前使用者的 [憑證] 視窗,以及已從所有工作選取 [匯出] 的內容功能表。

  2. 在精靈中按 [下一步]。In the Wizard, click Next.

    匯出憑證

  3. 選取 [否,不要匯出私密金鑰],然後按 [下一步]。Select No, do not export the private key , and then click Next.

    不要匯出私密金鑰

  4. 在 [匯出檔案格式] 頁面上,選取 [Base-64 編碼 X.509 (.CER)],然後按 [下一步]。On the Export File Format page, select Base-64 encoded X.509 (.CER). , and then click Next.

    Base-64 編碼

  5. 針對 [要匯出的檔案],[瀏覽] 至您要匯出憑證的位置。For File to Export , Browse to the location to which you want to export the certificate. 針對 [檔案名稱] ,請為憑證檔案命名。For File name , name the certificate file. 然後按 [下一步] 。Then, click Next.

    螢幕擷取畫面顯示 [憑證匯出嚮導] 的 [檔案名] 文字方塊和 [流覽] 選項。

  6. 按一下 [完成] 匯出憑證。Click Finish to export the certificate.

    螢幕擷取畫面顯示具有所選取設定的憑證匯出嚮導。

  7. 已成功匯出您的憑證。Your certificate is successfully exported.

    螢幕擷取畫面顯示匯出成功的訊息。

  8. 匯出的憑證如下所示:The exported certificate looks similar to this:

    螢幕擷取畫面顯示憑證圖示和副檔名為 c e r 的檔案名。

  9. 如果您使用「記事本」開啟匯出的憑證,您會看到類似於此範例的內容。If you open the exported certificate using Notepad, you see something similar to this example. 以藍色標示的部分包含上傳至 Azure 的資訊。The section in blue contains the information that is uploaded to Azure. 如果您使用「記事本」開啟您的憑證,但並未顯示這樣的內容,這通常表示您未使用 Base-64 編碼 X.509 (.CER) 格式加以匯出。If you open your certificate with Notepad and it does not look similar to this, typically this means you did not export it using the Base-64 encoded X.509(.CER) format. 此外,如果您想要使用不同的文字編輯器,請了解某些編輯器可能會在背景中導入非預期的格式。Additionally, if you want to use a different text editor, understand that some editors can introduce unintended formatting in the background. 這可能會在此憑證中的文字上傳至 Azure 時產生問題。This can create problems when uploaded the text from this certificate to Azure.

    使用記事本開啟

匯出的 .cer 檔案必須上傳到 Azure。The exported.cer file must be uploaded to Azure. 如需相關指示,請參閱設定點對站連線For instructions, see Configure a Point-to-Site connection. 若要新增其他可信任的根憑證,請參閱這篇文章的本節To add an additional trusted root certificate, see this section of the article.

匯出自我簽署憑證和私密金鑰來儲存它 (選擇性)Export the self-signed certificate and private key to store it (optional)

您可能想要匯出自我簽署的根憑證,並將它安全地儲存。You may want to export the self-signed root certificate and store it safely. 如有需要,您可以稍後在另一部電腦上安裝這個自我簽署憑證,然後產生更多用戶端憑證,或匯出另一個 .cer 檔案。If need be, you can later install it on another computer and generate more client certificates, or export another .cer file. 若要將自我簽署的根憑證匯出為 .pfx,請選取根憑證,然後使用與匯出用戶端憑證所述的相同步驟來匯出。To export the self-signed root certificate as a .pfx, select the root certificate and use the same steps as described in Export a client certificate.

建立並安裝用戶端憑證Create and install client certificates

您未直接在用戶端電腦上安裝自我簽署的憑證。You don't install the self-signed certificate directly on the client computer. 您需要從自我簽署憑證產生用戶端憑證。You need to generate a client certificate from the self-signed certificate. 您接著會將用戶端憑證匯出並安裝到用戶端電腦。You then export and install the client certificate to the client computer. 下列步驟並非針對特定部署模型。The following steps are not deployment-model specific. 它們同樣適用於資源管理員和傳統部署模型。They are valid for both Resource Manager and classic.

產生用戶端憑證Generate a client certificate

每個使用點對站連線至 VNet 的用戶端電腦都必須安裝用戶端憑證。Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. 您可以從自我簽署根憑證產生用戶端憑證,然後匯出及安裝用戶端憑證。You generate a client certificate from the self-signed root certificate, and then export and install the client certificate. 如果未安裝用戶端憑證,則驗證會失敗。If the client certificate is not installed, authentication fails.

下列步驟將逐步引導您完成從自我簽署的根憑證產生用戶端憑證。The following steps walk you through generating a client certificate from a self-signed root certificate. 您可以從相同根憑證產生多個用戶端憑證。You may generate multiple client certificates from the same root certificate. 當您使用下列步驟產生用戶端憑證時,用戶端憑證會自動安裝在您用來產生憑證的電腦上。When you generate client certificates using the steps below, the client certificate is automatically installed on the computer that you used to generate the certificate. 如果您想要在另一部用戶端電腦上安裝用戶端憑證,您可以匯出憑證。If you want to install a client certificate on another client computer, you can export the certificate.

  1. 在用來建立自我簽署憑證的相同電腦上,以系統管理員身分開啟命令提示字元。On the same computer that you used to create the self-signed certificate, open a command prompt as administrator.

  2. 修改並執行範例以產生用戶端憑證。Modify and run the sample to generate a client certificate.

    • "P2SRootCert" 變更為您從中產生用戶端憑證的自我簽署根憑證名稱。Change "P2SRootCert" to the name of the self-signed root that you are generating the client certificate from. 確定您使用的是根憑證名稱,亦即您建立自我簽署根憑證時所指定的 'CN=' 值。Make sure you are using the name of the root certificate, which is whatever the 'CN=' value was that you specified when you created the self-signed root.
    • P2SChildCert 變更為所產生的用戶端憑證要使用的名稱。Change P2SChildCert to the name you want to generate a client certificate to be.

    如果您執行以下範例而未做任何修改,您的個人憑證存放區中就會有一個從根憑證 P2SRootCert 產生的用戶端憑證,名為 P2SChildcert。If you run the following example without modifying it, the result is a client certificate named P2SChildcert in your Personal certificate store that was generated from root certificate P2SRootCert.

    makecert.exe -n "CN=P2SChildCert" -pe -sky exchange -m 96 -ss My -in "P2SRootCert" -is my -a sha256
    

匯出用戶端憑證Export a client certificate

當您產生用戶端憑證時,它會自動安裝於您用來產生它的電腦上。When you generate a client certificate, it's automatically installed on the computer that you used to generate it. 如果您想要在另一部用戶端電腦上安裝用戶端憑證,您必須匯出您所產生的用戶端憑證。If you want to install the client certificate on another client computer, you need to export the client certificate that you generated.

  1. 若要匯出用戶端憑證,請開啟 [管理使用者憑證]。To export a client certificate, open Manage user certificates. 根據預設,您產生的用戶端憑證位於 'Certificates - Current User\Personal\Certificates'。The client certificates that you generated are, by default, located in 'Certificates - Current User\Personal\Certificates'. 以滑鼠右鍵按一下您要匯出的用戶端憑證,按一下 [ 所有 工作],然後按一下 [ 匯出 ] 以開啟 [ 憑證匯出嚮導]Right-click the client certificate that you want to export, click all tasks , and then click Export to open the Certificate Export Wizard.

    螢幕擷取畫面:顯示目前使用者的 [憑證] 視窗,其中選取了 [憑證] 和 [從所有工作選取匯出]。

  2. 在 [憑證匯出精靈] 中,按 [下一步] 繼續作業。In the Certificate Export Wizard, click Next to continue.

    螢幕擷取畫面顯示「憑證匯出嚮導」歡迎使用訊息。

  3. 選取 [是,匯出私密金鑰],然後按 [下一步]。Select Yes, export the private key , and then click Next.

    匯出私密金鑰

  4. 在 [匯出檔案格式] 頁面上,保留選取預設值。On the Export File Format page, leave the defaults selected. 務必選取 [如果可能的話,包含憑證路徑中的所有憑證]。Make sure that Include all certificates in the certification path if possible is selected. 此設定會額外匯出成功的用戶端驗證所需的根憑證資訊。This setting additionally exports the root certificate information that is required for successful client authentication. 若缺少這項資訊,用戶端驗證即會因為用戶端沒有信任的根憑證而失敗。Without it, client authentication fails because the client doesn't have the trusted root certificate. 然後按 [下一步] 。Then, click Next.

    匯出檔案格式

  5. 在 [安全性] 頁面上,您必須保護私密金鑰。On the Security page, you must protect the private key. 如果您選取要使用密碼,請務必記錄或牢記您為此憑證設定的密碼。If you select to use a password, make sure to record or remember the password that you set for this certificate. 然後按 [下一步] 。Then, click Next.

    螢幕擷取畫面顯示 [憑證匯出嚮導] 安全性頁面,其中包含輸入並確認的密碼,並在下一個反白顯示。

  6. 在 [要匯出的檔案] 中,[瀏覽] 到您要匯出憑證的位置。On the File to Export , Browse to the location to which you want to export the certificate. 針對 [檔案名稱] ,請為憑證檔案命名。For File name , name the certificate file. 然後按 [下一步] 。Then, click Next.

    要匯出的檔案

  7. 按一下 [完成] 匯出憑證。Click Finish to export the certificate.

    螢幕擷取畫面顯示具有所輸入設定的憑證匯出 Wizard。

安裝匯出的用戶端憑證Install an exported client certificate

若要安裝用戶端憑證,請參閱安裝用戶端憑證To install a client certificate, see Install a client certificate.

後續步驟Next steps

繼續使用您的點對站設定。Continue with your Point-to-Site configuration.

如需有關為 P2S 疑難排解的資訊,請參閱針對 Azure 點對站連線進行疑難排解For P2S troubleshooting information, Troubleshooting Azure point-to-site connections.