在 Key Vault 中创建和合并 CSRCreating and merging CSR in Key Vault

Azure Key Vault 支持将你选择的任何证书颁发机构颁发的数字证书存储在密钥保管库中。Azure Key Vault supports storing digital certificate issued by any Certificate Authority of your choice in your key vault. 它支持使用私钥/公钥对创建证书签名请求,可由所选的任何证书颁发机构签名。It supports creating the certificate signing request with private-public key pair which can be signed by any chosen Certificate Authority. 选择的证书颁发机构可以是内部企业 CA,也可以是外部公共 CA。It could be internal enterprise CA or external public CA. 证书签名请求(也称为 CSR 或证书请求)是用户向证书颁发机构 (CA) 发送的一条消息,用于请求颁发数字证书。A certificate signing request (also CSR or certification request) is a message that is sent by the user to a certificate authority (CA) in order to request issuance of a digital certificate.

若要详细了解证书的常规信息,请参阅 Azure Key Vault 证书For more general information about Certificates, see Azure Key Vault Certificates.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

在 Key Vault 中添加不受信任的 CA 颁发的证书Adding Certificate in Key Vault issued by a non-trusted CA

以下步骤将帮助你从没有与 Key Vault 合作的证书颁发机构(例如,GoDaddy 不是受信任的密钥保管库 CA)创建证书The following steps will help you create a certificate from certificate authorities that are not partnered with Key Vault (for example, GoDaddy is not a trusted key vault CA)

Azure PowerShellAzure PowerShell

  1. 首先,创建证书策略。First, create the certificate policy. 由于此方案中所选的 CA 不受支持,Key Vault 不会代表用户注册或续订证书颁发者颁发的证书,因此 IssuerName 设置为“未知”。Key Vault will not enroll or renew the certificate from the Issuer on behalf of the user as CA chosen in this scenario is not a supported one and hence the IssuerName is set to Unknown.

    $policy = New-AzKeyVaultCertificatePolicy -SubjectName "CN=www.contosoHRApp.com" -ValidityInMonths 1  -IssuerName Unknown
    
  2. 创建证书签名请求Create a certificate signing request

    $csr = Add-AzKeyVaultCertificate -VaultName ContosoKV -Name ContosoManualCSRCertificate -CertificatePolicy $policy
    $csr.CertificateSigningRequest
    
  3. 获取由 CA 签名的 CSR 请求。$certificateOperation.CertificateSigningRequest 是针对该证书的 base4 编码的证书签名请求。Getting the CSR request signed by the CA The $certificateOperation.CertificateSigningRequest is the base4 encoded certificate signing request for the certificate. 可以获取此 blob,并将其转储到证书颁发者的证书请求网站中。You can take this blob and dump into Issuer’s certificate request website. 此步骤因 CA 而异,最好的方法是查看 CA 提供的关于如何执行此步骤的指南。This step varies from CA to CA, the best way would be to look up your CA’s guidelines on how to execute this step. 此外,还可以使用 certreq 或 openssl 之类的工具来对证书请求进行签名,并完成证书生成过程。You can also use tools such as certreq or openssl to get the certificate request signed and complete the process of generating a certificate.

  4. 在 Key Vault 中合并已签名的请求。证书颁发者对证书请求进行签名后,可以带回已签名的证书,并将其与在 Azure Key Vault 中创建的初始私钥/公钥对合并Merging the signed request in Key Vault After the certificate request has been signed by the Issuer, you can bring back the signed certificate and merge it with the initial private-public key pair created in Azure Key Vault

    Import-AzKeyVaultCertificate -VaultName ContosoKV -Name ContosoManualCSRCertificate -FilePath C:\test\OutputCertificateFile.cer
    

    现已成功合并证书请求。Certificate request has now been successfully merged.

Azure 门户Azure portal

  1. 若要为所选的 CA 生成 CSR,请导航到要添加证书的密钥保管库。To generate CSR for the CA of your choice, navigate to the Key vault you want to add the certificate.

  2. 在密钥保管库属性页中,选择“证书”。On the Key Vault properties pages, select Certificates.

  3. 选择“生成/导入”选项卡。Select Generate/Import tab.

  4. 在“创建证书”屏幕上,选择以下值:On the Create a certificate screen choose the following values:

    • 证书创建方法:生成。Method of Certificate Creation: Generate.
    • 证书名称:ContosoManualCSRCertificate。Certificate Name: ContosoManualCSRCertificate.
    • 证书颁发机构 (CA) 类型:非集成 CA 颁发的证书Type of Certificate Authority (CA): Certificate issued by a non-integrated CA
    • 主题:"CN=www.contosoHRApp.com"Subject: "CN=www.contosoHRApp.com"
    • 根据需要选择其他值。Select the other values as desired. 单击“创建”。Click Create.

    证书属性

  5. 此时,将看到证书已添加到“证书”列表中。You will see that certificate has now been added in Certificates list. 选择刚创建的新证书。Select this new certificate you had just created. 证书的当前状态为“已禁用”,因为它尚未由 CA 颁发。The current state of the certificate would be ‘disabled’ as it hasn’t been issued by the CA yet.

  6. 单击“证书操作”选项卡,然后选择“下载 CSR” 。Click on Certificate Operation tab and select Download CSR. 证书属性Certificate properties

  7. 将 .csr 文件带到 CA,以便对请求进行签名。Take .csr file to the CA for the request to get signed.

  8. CA 对请求进行签名后,请带回证书文件以在同一“证书操作”屏幕中合并已签名的请求。Once the request is signed by the CA, bring back the certificate file to merge the Signed request in the same Certificate Operation screen.

现已成功合并证书请求。Certificate request has now been successfully merged.

向 CSR 添加更多信息Adding more information to CSR

如果想要在创建 CSR 时添加更多信息,例如 -If you want to add more information when creating CSR, for instance - - 国家/地区:Country: - 城市/区域:City / Locality: - 省/自治区/直辖市:State / Province: - 组织:Organisation: - 组织单位:可以在创建 CSR 时通过在 subjectName 中定义这些信息来添加所有这些信息。Organisational Unit: You can add all that information when creating a CSR by defining that in subjectName.

示例Example SubjectName="CN = docs.microsoft.com, OU = Microsoft Corporation, O = Microsoft Corporation, L = Redmond, S = WA, C = US"

备注

如果你正在 CSR 中请求具有所有这些详细信息的 DV 证书,则 CA 可能会拒绝该请求,因为 CA 可能无法验证请求中的所有信息。If you are requesting a DV cert with all those details in the CSR, the CA might reject the request as CA might not be able to validate all that information in the request. 如果你正在请求 OV 证书,那么在 CSR 中添加所有这些信息更合适。If you are requesting an OV cert then it would be more appropriate to add all that information in the CSR.

疑难解答Troubleshoot

  • 错误类型“指定的 X.509 证书内容中终端实体证书的公钥与指定私钥的公共部分不一致。请检查证书是否有效”。如果你不将 CSR 与启动的同一 CSR 请求合并,则会发生此错误。Error type 'The public key of the end-entity certificate in the specified X.509 certificate content does not match the public part of the specified private key. Please check if certificate is valid' This error can occur if you are not merging the CSR with the same CSR request initiated. 每次创建 CSR 时,它都会创建一个在合并签名请求时必须匹配的私钥。Each time a CSR is created, it creates a private key which has to be matched when merging the signed request.

  • 当 CSR 合并时,它会合并整个链吗?When CSR is merged, would it merge the entire chain? 是的,它会合并整个链,前提是用户返回 p7b 文件进行合并。Yes, it will merge the entire chain, provided the user has brought back p7b file to merge.

  • 如果颁发的证书在 Azure 门户中处于“已禁用”状态,请继续查看“证书操作”以查看该证书的错误消息。If the certificate issued is in 'disabled' status in the Azure portal, proceed to view the Certificate Operation to review the error message for that certificate.

有关详细信息,请参阅 Key Vault REST API 中的证书操作参考For more information, see the Certificate operations in the Key Vault REST API reference. 有关建立权限的信息,请参阅保管库 - 创建或更新保管库 - 更新访问策略For information on establishing permissions, see Vaults - Create or Update and Vaults - Update Access Policy.

后续步骤Next steps