HowTo: Create Self-Signed Certificates with PowerShell
8 September 2016This is a short post about how to create Self-Signed certificates with the New-SelfSignedCertificate PowerShell module. More specifically, this post will cover creating your own Root Certificate, exporting public and PFX certificates, creating certificates signed by your root certificate authority. Historically you would do this using the old-trusty makecert.exe, but nowadays we can do it straight from powershell! (oh joy!)
Create Root Certificate
Here’s what we are going to do:
- Create the certificate;
- Define a password string;
- Export the certificate in PFX format, and secure it with the password you identified;
- Export the public certificate and save it as a
.cerfile.
So let’s get going. In your powershell console, type the following (Replacing the dnsname with something relevant to you)
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "Lab Root Certificate Authority"
this will result in something along the line of the following being displayed in the console
Microsoft.PowerShell.Security\Certificate::LocalMachine\my
Thumbprint Subject
———- ——-
F81AFDC2A23B8629580374E64871941476E43F02 CN=DC Lab Root Authority
You want to take a note of the thumbprint guid displayed as you will need this later. In the case above, the thumbprint is F81AFDC2A23B8629580374E64871941476E43F02
You then want to set up a variable a string value as the password
$pwd = ConvertTo-SecureString -String "Please-Use-A-Really-Strong-Password" -Force -AsPlainText
Now, let’s export the root certificate as a PFX file and use the password we just set up.
Export-PfxCertificate -cert cert:\localMachine\my\F81AFDC2A23B8629580374E64871941476E43F02 -FilePath root-authority.pfx -Password $pwd
Great, now you have the PFX file saved, let’s export the public key of your root authority (this is what you will install in “Trusted Root Authorities” for example). NB: As it’s the only the public certificate we are exporting, you do not need to set a password.
Export-Certificate -Cert cert:\localMachine\my\F81AFDC2A23B8629580374E64871941476E43F02 -FilePath root-authority.crt
Create Certificates signed by our Root Certificate Authority
Here’s what we are going to do:
- Load the root authority certificate into memory;
- Create a certificate signed by the root authority;
- Define a password string to secure the PFX file;
- Export the new certificate as a PFX file;
- Export the new certificate as a CRT file
Load the root authority certificate
Load the root authority certificate is as easy as pie. Below I am using the root cert authority thumbprint discovered above
$rootcert = ( Get-ChildItem -Path cert:\LocalMachine\My\F81AFDC2A23B8629580374E64871941476E43F02 )
Create a certificate signed by the root authority
OK, so now we want to create a new certificate, but this time have the root certificate authority sign it.
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "Gateway Certificate" -Signer $rootcert
nb: I am not using a resolvable dnsname in my example, but you can! (such as www.example.com)
This will result in the thumbprint of the new certificate being displayed in the console. Again, record this thumbprint for use later.
Define a password string
$pwd2 = ConvertTo-SecureString -String "Please-Use-A-Really-Strong-Password" -Force -AsPlainText
Export the new certificate as a PFX file
Export-PfxCertificate -cert cert:\localMachine\my\A01F36FC2A7EB9CD506BD37E201935D6EB58A592 -FilePath gateway-certificate.pfx -Password $pwd2
Export new certificate public key as a CRT file
Use the following to export the public key of the certificate.
Export-Certificate -Cert cert:\localMachine\my\A01F36FC2A7EB9CD506BD37E201935D6EB58A592 -FilePath gateway.crt
All done !! No makecert.exe or mmc to be seen 🙂
have fun.
DC
ps. For extra fun, here are some other examples
Extra: Create Certificates with Subject Alternative Names (SAN)
New-SelfSignedCertificate -DnsName domain.example.com,anothersubdomain.example.com -CertStoreLocation cert:\LocalMachine\My
Extra: Create Wildcard Certificates
New-SelfSignedCertificate -dnsname *.example.com -certstorelocation cert:\localmachine\my
few questions please:
-certstorelocation cert:localmachinemy: what is “cert:localmachinemy”? what other values it can have?
dnsname: can that be any string? where and how this string is used?
CertStore location can be Cert:\CurrentUser\My or Cert:\LocalMachine\My. Best to refer to the docs for all options @ https://technet.microsoft.com/en-us/library/hh848633.aspx
Hello there, I have created root certificate and the other certificate, which acts as both client and server certificate.
When i created https binding in windows IIS, using the other certificate, it gets hosted normally with ssl settings as Require SSL option checked .
But when i use that same certificate as client certificate and add into chrome certificate list, it gives an error of “HTTP Error 403.7 – Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.”
Any help shall be appreciated.
Manoj.Maity
Finally! Finding your article is long overdue. Sick and tired of finding articles telling me to use makecert or openssl like Windows is a second class citizen.
There’s two very important things missing. For the CA you need to add -KeyUsage DigitalSignature,CertSign – or else browsers won’t recognize the cert as valid. For the self signed (child) cert you need to add -KeyUsage KeyEncipherment,DigitalSignature as a parameter. In addition if you don’t want it expiring after a year you need to add -NotAfter (Get-Date).AddYears(10)