How to create a custom self signed certificate with PowerShell

From time to time you may need a custom certificate for testing or troubleshooting purposes. If you do not have access to a lab where you have an Enterprise Certificate Authority running, generating a self signed certificate is often a quick and convenient way of getting a usable certificate.

As a word of caution, a self signed certificate should only be used for testing and troubleshooting purposes and never for production and operation as it does not originate from a generally trusted source and the use of a self signed certificate may cause web browsers to display issue phishing warnings.

Note that the this procedure require PowerShell version 4.0 or newer, and will use the New-SelfSignedCertificate and the Export-PfxCertificate cmdlets to first generate the certificate, and finally export the certificate with the private key to a password protected PFX file.

As alternative sources to generating self signed certificates, you can use Internet Information Service (IIS) to create a self signed certificate or use the MakeCert application.

In this example, generating the self signed certificate will require the path to a certificate store and the DNS name to use as the Subject and Issuer names. Creating a certificate with multiple Subject Alternative Names only require that multiple DNS names are specified, where the first name is used as the Subject and Issuer Name.

By default, the certificate is created using the following settings:

  • Cryptography algorithm:  RSA
  • Public key size: 2048 bit
  • Enhanced key usage:  Client Authentication and Server Authentication
  • Key usage:  Digital Signature, Key Encipherment (a0)
  • Key validity period:  1 year

The following command generate a new self signed certificate for service.adatum.local, place the certificate in the Current User certificate store, and output the certificate Thumbprint and Subject:

New-SelfSignedCertificate -DnsName service.adatum.local -CertStoreLocation cert:\CurrentUser\My

SNAGHTML9b1ec1

Copy the Thumbprint for use when exporting this certificate to a PFX file.

For listing all certificates in the Current User or the Local Computer certificate stores, use the standard dir command together with the certificate providers path to the relevant certificate store:

dir cert:\CurrentUser\My

dir cert:\LocalComputer\My

SNAGHTMLa25fb0

The same output is also produced when using the Get-ChildItem cmdlet:

Get-ChildItem -Path cert:\CurrentUser\My

SNAGHTMLa871d3

For exporting the self signed certificate with the associated private key to a PFX file, we can either use the Certificates management console snap-in, or in this case we use the Export-PfxCertificate cmdlet. The Export-PfxCertificate cmdlet require the location of the certificate to export, the secured password and the file location where to store the PFX file.

In this example we first need to convert the the password for the PFX file into a secure string and then store the result in a variable.
The second command will export the previous generated certificate to a PFX file, using the variable with the protected password string, and save the PFX on the local hard drive:

$PFXPass = ConvertTo-SecureString -String “MyPassword” -Force -AsPlainText
Export-PfxCertificate -Cert cert:\CurrentUser\My\29D07EE0407B84983232267B4E468A25F985E93A -Password $PFXPass -FilePath C:\TEMP\Service-adatum-local.pfx

SNAGHTMLb17e3b

The self signed certificate is exported to a protected PFX file and saved at the local hard drive, where it can be moved to another server and used for testing.

SNAGHTMLcf764a

 

References:

MakeCert – https://msdn.microsoft.com/library/windows/desktop/aa386968.aspx

Certificate Provider – https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/about/about_certificate_provider

Create a Self-Signed Server Certificate in IIS 7 – https://technet.microsoft.com/en-us/library/cc753127%28v=ws.10%29.aspx

  1. Open IIS Manager and navigate to the level you want to manage.

  2. In Features view, double-click Server Certificates.

  3. In the Actions pane, click Create Self-Signed Certificate.

  4. On the Create Self-Signed Certificate page, type a friendly name for the certificate in the Specify a friendly name for the certificate box, and then click OK.

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.