windows makecert 给出“无法从发行人的证书中获取安全提供者” - 为什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5135230/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
makecert gives "Fail to acquire a security provider from the issuer's certificate" - why?
提问by mark
Dear ladies and sirs. Observe this simple batch file:
亲爱的女士们先生们。观察这个简单的批处理文件:
makecert -n "CN=MyCA" -sr localmachine -ss root -a sha1 -cy authority -r -sv MyCA.pvk MyCA.cer
del MyCA.pvk
del MyCA.cer
makecert -n "CN=il-mark-lt" -sr localmachine -ss my -cy end -pe -sky exchange -a sha1 -is root -ir localmachine -in MyCA
However, the last makecert fails with the following error message:
但是,最后一个 makecert 失败并显示以下错误消息:
Error: Fail to acquire a security provider from the issuer's certificate
How do I troubleshoot it? Any ideas? BTW, the first makecert succeeds. Of course, I delete it again, before running the commands again.
我该如何解决?有任何想法吗?顺便说一句,第一个 makecert 成功了。当然,在再次运行命令之前,我再次删除它。
Thanks.
谢谢。
EDIT1
编辑1
I understood the reasons for the failure. The second command expects the file MyCA.pvk to exist, but I do not want to keep it around. So, what can I do?
我明白失败的原因。第二个命令期望文件 MyCA.pvk 存在,但我不想保留它。那么,我能做什么?
回答by mark
回答by Jester
I was getting this error because I didn't start the command line with Admin privileges. I guess the error is something of a misnomer in this case.
我收到此错误是因为我没有以管理员权限启动命令行。我想这个错误在这种情况下用词不当。
回答by Miguel
The problem is the first command, you are creating a self signed certificate and adding it to the Trusted Root store of the Local Machine account (but you probably know that). But you're also creating files for the public and private keys for the certificate, the .pvk and .cer files.
问题是第一个命令,您正在创建一个自签名证书并将其添加到本地机器帐户的受信任根存储(但您可能知道)。但是您还要为证书的公钥和私钥创建文件,即 .pvk 和 .cer 文件。
The second command is creating another certificate, this time not a self signed one but signed by the first certificate. In order to sign a certificate you need both the public and the private key of the issuer (CN=MyCA), you are instructing makecert to look for the issuer public key in the Local Machine Trusted Root Certificate store, that's fine, but you don't have the private key anymore, since MyCA.pvk was deleted.
第二个命令是创建另一个证书,这次不是自签名,而是由第一个证书签名。为了签署证书,您需要颁发者的公钥和私钥(CN = MyCA),您正在指示 makecert 在本地机器受信任的根证书存储中查找颁发者公钥,这很好,但您不这样做不再拥有私钥,因为 MyCA.pvk 已被删除。
If you don't specify file names for the private and public keys on the first command, i.e. do not include the -sv MyCA.pvk parameter and MyCA.cer, both the public and private keys will be added to the store. That means there will be no need to delete files because they won't be generated.
如果您没有在第一个命令中指定私钥和公钥的文件名,即不包括 -sv MyCA.pvk 参数和 MyCA.cer,公钥和私钥都将添加到存储中。这意味着不需要删除文件,因为它们不会被生成。
Also, if you open a management console, press [WIN]+[R] type mmc [Return], go to File -> Add/Remove Snap in -> Select "Certificates" -> "Add" -> "Computer Account" and then navigate the tree to Trusted Root Certificates\Certificates you will find MyCA in the left pane. You'll notice a small key on the icon and if you double click the certificate a message at the bottom of the General tab properties will state "You have a private key that corresponds to this certificate". That means you can use that certificate to sign a new one, like you're trying to do in with the second command.
另外,如果您打开管理控制台,按 [WIN]+[R] 键入 mmc [Return],转到文件 -> 添加/删除管理单元 -> 选择“证书”->“添加”->“计算机帐户”然后将树导航到 Trusted Root Certificates\Certificates,您将在左窗格中找到 MyCA。您会注意到图标上有一个小键,如果您双击证书,“常规”选项卡属性底部的消息将显示“您有一个与此证书对应的私钥”。这意味着您可以使用该证书来签署新的证书,就像您尝试使用第二个命令一样。
