uniapp开发app框架在提升开发效率中的独特优势与应用探索
2356
2022-09-17
Windows Server Core 2022--(1)安装AD DS和AD CS证书服务
1.安装AD DS:
Install-WindowsFeature -Name AD-Domain-Services
Install-ADDSForest -CreateDnsDelegation:$false -DomainMode WinThreshold -DomainName afd.ink -DomainNetbiosName a -ForestMode WinThreshold -InstallDns:$true -NoRebootOnCompletion:$true -SafeModeAdministratorPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -Force:$true
Restart-Computer
set-ADUser administrator -PasswordNeverExpires $true
New-ADUser -Name 'gazh' -SamAccountName 'gazh' -DisplayName 'gazh' -Enabled $True -PasswordNeverExpires $True -UserPrincipalName 'gazh@afd.ink' -AccountPassword (ConvertTo-SecureString "P@$$w0rd1!" -AsPlainText -Force) -PassThru
$SUG = @()
$SUG = (Get-ADUser -Identity "Administrator" -Properties * ).MemberOf
ForEach ($Group in $SUG ) { Add-ADGroupMember -Identity $Group -Members "gazh"}
(Get-ADUser -Identity gazh -Properties *).MemberOf
2.安装ADCS:
Install-WindowsFeature AD-Certificate,ADCS-Cert-Authority,ADCS-Web-Enrollment
Install-AdcsCertificationAuthority -ValidityPeriod Years -ValidityPeriodUnits 50 -CACommonName A-CA
配置 Certificate Authority Web Enrollment:
Install-AdcsWebEnrollment
certutil -getreg ca\ValidityPeriod
certutil -getreg ca\ValidityPeriodUnits
certutil -setreg ca\ValidityPeriodUnits 20
Restart-Service -name certsvc
dnscmd . /RecordAdd afd.ink ca A 192.168.111.10
Get-CACrlDistributionPoint | ?{$_.uri -like "-or $_.uri -like "ldap*"}
Add-CACrlDistributionPoint -Uri "-AddToCrlIdp:$false -AddToFreshestCrl:$true -AddToCertificateCdp:$true -Confirm -Force
Get-CAAuthorityInformationAccess | fl
Add-CAAuthorityInformationAccess -AddToCertificateOcsp:$true -Uri "-Confirm -Force
Get-CAAuthorityInformationAccess | fl
Remove-CAAuthorityInformationAccess -Uri "-AddToCertificateAia -Uri "-AddToCertificateOcsp -Uri "| fl
Remove-CACrlDistributionPoint -URI "-Uri "-AddToCertificateCdp -AddToCrlIdp -AddToFreshestCrl
Restart-Service -name certsvc
新增和管理模板:
Install-Module -Name ADCSTemplate
Get-ADCSTemplate | select displayname
Export-ADCSTemplate -DisplayName "Web 服务器" > .\webserver_template.json
Export-ADCSTemplate -DisplayName "Web Server" > .\webserver_template.json
notepad .\webserver_template.json
替换pKIExpirationPeriod的值为Validity period时间由默认的2年改为20年:
将
"pKIExpirationPeriod": [
0,
128,
114,
14,
93,
194,
253,
255
],
替换为:
"pKIExpirationPeriod": [
0,
0,
121,
144,
162,
151,
233,
255
],
保存。
New-ADCSTemplate -DisplayName "Web20" -JSON (Get-Content .\webserver_template.json -Raw) -Publish
Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity 'a\Domain Users' -Enroll
Set-ADCSTemplateACL -DisplayName Web20 -Type Allow -Identity 'a\Domain Computers' -Enroll
申请证书:
创建CSR工具:create a policy file (.inf) in Notepad and save it as requestconfig.inf:
[Version]
Signature="$Windows NT$"
[NewRequest]
;Change to your,country code, company name and common name
Subject = "CN=afd.ink"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
FriendlyName = "afd-ca"
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=afd.ink&"
_continue_ = "dns=*.afd.ink&"
_continue_ = "dns=nipit-&"
_continue_ = "dns=*.nipit-&"
_continue_ = "dns=ykx.ai&"
_continue_ = "dns=*.ykx.ai&"
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing
[RequestAttributes]
CertificateTemplate = Web20
SAN = "dns=afd.ink&dns=*.afd.ink&dns=nipit-&dns=*.nipit-&dns=ykx.ai&dns=*.ykx.ai"
2)On the computer for which you are requesting a certificate:
certreq –new requestconfig.inf certrequest.req
certreq -submit certrequest.req certnew.cer
3)导入导出证书:
Import-Certificate -FilePath .\afd-wildcard.cer -CertStoreLocation Cert:\LocalMachine\My
Get-ChildItem -Path Cert:\LocalMachine\My
Get-ChildItem -Path cert:\localMachine\my\266FBD875596D7029690CA907AA2977D35341788 | Export-PfxCertificate -FilePath .\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)
Set-Location -Path cert:\localMachine\my
PS Cert:\localMachine\my>Import-PfxCertificate -FilePath c:\afd-wildcard.pfx -Password (ConvertTo-SecureString -String "1234" -Force -AsPlainText)
3.启用远程管理IIS--Enabling IIS Remote Management
Install-WindowsFeature Web-Mgmt-Service
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\WebManagement\Server -Name EnableRemoteManagement -Value 1
Set-Service -name WMSVC -StartupType Automatic -Status Running
New-NetFirewallRule -DisplayName "IIS Remote Management" -Direction Inbound -Action Allow -Service WMSVC
Copy-Item -Path C:\afd.ink.pfx -Destination "\\$_\c$"
certutil -p P@$$w0rd1 -importpfx c:\afd.ink.pfx
Remove-Item -Path "\\$_\c$\afd.ink.pfx
Import-Module WebAdministration
Get-ChildItem -Path Cert:\LocalMachine\My
Remove-Item -Path IIS:\SslBindings\0.0.0.0!8172
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where {$_.subject -like "*afd.ink*"} | Select-Object -ExpandProperty Thumbprint
Get-Item -Path "cert:\localmachine\my\$cert" | New-Item -Path IIS:\SslBindings\0.0.0.0!8172
Remove-Item -Path IIS:\SslBindings\0.0.0.0!8172
Get-Item -Path "cert:\localmachine\my\$cert" | New-Item -Path IIS:\SslBindings\0.0.0.0!8172
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~