为 Windows 7 的 IPSec 客户端创建 CA
我现在正在努力为 Windows 7 创建 CA 证书以连接到 StrongSwan。
问题是,无论我尝试多少个标志,Windows 都不会使用它。我在受信任的根证书颁发机构组中有 20 个证书。这些是默认存在的。当我安装我的时,总共有21个。在连接尝试中,Windows 将尝试默认的 20 个,甚至是过时的,但不是我的。
从 StrongSwan wiki 中,这是所需的日志输出:
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP4_SERVER
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP6_SERVER
May 12 05:49:56 koala charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
May 12 05:49:56 koala charon: 13[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan 2009 CA"
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
May 12 05:49:56 koala charon: 13[CFG] looking for peer configs matching 10.10.0.1[%any]...10.10.0.6[10.10.0.6]
我得到的是这个:
11[ENC] unknown attribute type INTERNAL_IP4_SERVER
11[ENC] unknown attribute type INTERNAL_IP6_SERVER
11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
11[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
11[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
11[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
11[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
11[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
11[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
11[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
11[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
11[IKE] received cert request for unknown ca with keyid 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
11[IKE] received cert request for unknown ca with keyid f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a
11[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
11[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
11[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
11[IKE] received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
11[IKE] received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
11[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
11[CFG] looking for peer configs matching 192.168.0.204[%any]...192.168.0.201[192.168.0.201]
...我的将是 cc a6 77 ce 07 ca 9c e5 e1 79 c1 2f 52 0d 60 41 c0 fc 2c 02 但没有尝试过。
我添加了其他证书(以及更多)中包含的所有额外信息:
[ all_opts ]
keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage = 1.3.6.1.5.5.8.2.2,1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3, 1.3.6.1.5.5.7.3.4, 1.3.
6.1.5.5.7.3.5, 1.3.6.1.5.5.7.3.6, 1.3.6.1.5.5.7.3.7, 1.3.6.1.5.5.7.3.8, 1.3.6.1.5.5.7.3.17
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
nsCertType=sslCA, emailCA, objCA
crlDistributionPoints=URI:http://myhost.com/myca.crl
...但到目前为止没有成功。
以下是许多失败的 TEST 证书之一的 openssl x509 -text 输出。我确实将它与一个可用的选项相匹配,包括每个选项(甚至包括像 CRL 这样看似无关紧要的选项),但到目前为止还没有成功。
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ed:47:46:38:44:e7:ef:40
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=TEST, CN=TEST CA
Validity
Not Before: Jun 17 10:18:16 2011 GMT
Not After : Jun 16 10:18:16 2015 GMT
Subject: C=AU, ST=Some-State, O=TEST, CN=TEST CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:85:90:c3:2c:30:da:8d:02:c0:6c:11:39:bc:
f4:d7:31:db:a2:bc:04:b6:c2:a4:92:ce:c1:4a:c7:
f9:43:57:6e:bc:c8:30:ee:17:45:46:57:95:37:bb:
7c:06:60:7b:20:a8:60:09:b8:1d:37:7f:26:dc:b2:
db:47:c4:91:91:8c:81:7a:b9:72:ec:0b:c6:90:50:
66:56:d1:05:a2:a0:99:66:ee:57:31:95:7c:04:a2:
4f:48:1f:89:c0:09:5b:cf:3f:09:4c:06:a8:36:99:
0e:c6:b1:27:d9:20:11:c5:fc:ec:cb:20:41:a7:8f:
d5:2a:58:2b:5c:36:f9:03:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, IPSec End System, IPSec Tunnel, IPSec User, Time Stamping, 1.3.6.1.5.5.7.3.17
X509v3 Subject Key Identifier:
CC:A6:77:CE:07:CA:9C:E5:E1:79:C1:2F:52:0D:60:41:C0:FC:2C:02
X509v3 Authority Key Identifier:
keyid:CC:A6:77:CE:07:CA:9C:E5:E1:79:C1:2F:52:0D:60:41:C0:FC:2C:02
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 CRL Distribution Points:
URI:http://myhost.com/myca.crl
Signature Algorithm: sha1WithRSAEncryption
69:11:dc:65:4d:f2:af:50:6f:58:56:67:97:fd:26:c4:a4:93:
0e:59:c3:bf:0f:ae:d5:58:9e:33:e3:21:11:7d:8a:fd:dd:10:
11:6e:b3:69:b8:39:28:d4:c9:a4:8f:01:94:d6:96:92:0a:bd:
0d:13:eb:29:5c:d0:7c:7c:12:09:f0:db:c0:fd:7a:4b:33:5d:
d6:68:36:51:a3:8b:b9:92:90:52:ea:7d:13:f6:4e:83:d3:60:
22:c1:c1:b0:9b:f2:72:2c:d1:f7:ae:3c:b0:7c:17:7b:66:a0:
ff:3a:50:ee:56:e4:bc:35:16:fb:65:41:78:1d:32:2d:7f:51:
2b:ce
-----BEGIN CERTIFICATE-----
. . .
我在 Windows 端得到的只是:
Error 13801: IKE authentication credentials are unacceptable.
I'm struggling now for a time with creating a CA certificate for Windows 7 to connect to strongSwan.
The problem is, no matter how many flags I try, Windows won't use it. I have 20 certificates in the Trusted Root Certification Authorities group. These were there by default. When I install mine, there is 21 total. In a connection attempt Windows will try the default 20, even the outdated ones, but not mine.
Form the StrongSwan wiki, this is the desired log output:
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP4_SERVER
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP6_SERVER
May 12 05:49:56 koala charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
May 12 05:49:56 koala charon: 13[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan 2009 CA"
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
May 12 05:49:56 koala charon: 13[CFG] looking for peer configs matching 10.10.0.1[%any]...10.10.0.6[10.10.0.6]
What I get is this:
11[ENC] unknown attribute type INTERNAL_IP4_SERVER
11[ENC] unknown attribute type INTERNAL_IP6_SERVER
11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
11[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
11[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
11[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
11[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
11[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
11[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
11[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
11[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
11[IKE] received cert request for unknown ca with keyid 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
11[IKE] received cert request for unknown ca with keyid f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a
11[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
11[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
11[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
11[IKE] received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
11[IKE] received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
11[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
11[CFG] looking for peer configs matching 192.168.0.204[%any]...192.168.0.201[192.168.0.201]
... mine would be cc a6 77 ce 07 ca 9c e5 e1 79 c1 2f 52 0d 60 41 c0 fc 2c 02 but it is not tried.
I added all the extra info which is included in the other certificates (and more) with:
[ all_opts ]
keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage = 1.3.6.1.5.5.8.2.2,1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3, 1.3.6.1.5.5.7.3.4, 1.3.
6.1.5.5.7.3.5, 1.3.6.1.5.5.7.3.6, 1.3.6.1.5.5.7.3.7, 1.3.6.1.5.5.7.3.8, 1.3.6.1.5.5.7.3.17
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
nsCertType=sslCA, emailCA, objCA
crlDistributionPoints=URI:http://myhost.com/myca.crl
... but no success this far.
Here is the openssl x509 -text output of one of the many failed TEST certificates. I really matched it with a working one, included every option (even seemingly unsignificant ones like CRL), but no success this far.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ed:47:46:38:44:e7:ef:40
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=TEST, CN=TEST CA
Validity
Not Before: Jun 17 10:18:16 2011 GMT
Not After : Jun 16 10:18:16 2015 GMT
Subject: C=AU, ST=Some-State, O=TEST, CN=TEST CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:85:90:c3:2c:30:da:8d:02:c0:6c:11:39:bc:
f4:d7:31:db:a2:bc:04:b6:c2:a4:92:ce:c1:4a:c7:
f9:43:57:6e:bc:c8:30:ee:17:45:46:57:95:37:bb:
7c:06:60:7b:20:a8:60:09:b8:1d:37:7f:26:dc:b2:
db:47:c4:91:91:8c:81:7a:b9:72:ec:0b:c6:90:50:
66:56:d1:05:a2:a0:99:66:ee:57:31:95:7c:04:a2:
4f:48:1f:89:c0:09:5b:cf:3f:09:4c:06:a8:36:99:
0e:c6:b1:27:d9:20:11:c5:fc:ec:cb:20:41:a7:8f:
d5:2a:58:2b:5c:36:f9:03:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, IPSec End System, IPSec Tunnel, IPSec User, Time Stamping, 1.3.6.1.5.5.7.3.17
X509v3 Subject Key Identifier:
CC:A6:77:CE:07:CA:9C:E5:E1:79:C1:2F:52:0D:60:41:C0:FC:2C:02
X509v3 Authority Key Identifier:
keyid:CC:A6:77:CE:07:CA:9C:E5:E1:79:C1:2F:52:0D:60:41:C0:FC:2C:02
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 CRL Distribution Points:
URI:http://myhost.com/myca.crl
Signature Algorithm: sha1WithRSAEncryption
69:11:dc:65:4d:f2:af:50:6f:58:56:67:97:fd:26:c4:a4:93:
0e:59:c3:bf:0f:ae:d5:58:9e:33:e3:21:11:7d:8a:fd:dd:10:
11:6e:b3:69:b8:39:28:d4:c9:a4:8f:01:94:d6:96:92:0a:bd:
0d:13:eb:29:5c:d0:7c:7c:12:09:f0:db:c0:fd:7a:4b:33:5d:
d6:68:36:51:a3:8b:b9:92:90:52:ea:7d:13:f6:4e:83:d3:60:
22:c1:c1:b0:9b:f2:72:2c:d1:f7:ae:3c:b0:7c:17:7b:66:a0:
ff:3a:50:ee:56:e4:bc:35:16:fb:65:41:78:1d:32:2d:7f:51:
2b:ce
-----BEGIN CERTIFICATE-----
. . .
All I get on the Windows side is:
Error 13801: IKE authentication credentials are unacceptable.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
尝试将它们添加到您的计算机的证书存储而不是您的用户的证书存储中,然后它就会起作用。
Try adding them to your Computer's certificate store instead of your User's certificate store, then it will work.