Most Windows administrators who are familiar with PKI know about the utility MakeCert.exe , which allows to create a self-signed certificate. This tool is included in Microsoft .NET Framework SDK and Microsoft Windows SDK. In Windows 8 and Windows Server 2012, a self-signed certificate can be created using PowerShell 3.0 or higher without any special tools.
To create a self-signed certificate in PowerShell, it is recommended to use New-SelfSignedCertificate cmdlet, being a part of PoSh PKI (Public Key Infrastructure) module:
Here is how to display the list of all cmdlets in module:
Get-Command -Module PKI
A self-signed certificate can be used for testing purposes or to provide certificates to Intranet services (IIS, Exchange, Web Application Proxy, LDAPS, ADRMS, DirectAccess etc.) if on any reason it is impossible to deploy a PKI/CA infrastructure.
To create a certificate, you have to specify the values of –DnsName (DNS name of a server, the name may be arbitrary and different from localhost name) and -CertStoreLocation (a local certificate storage the generated certificate will be placed in). The cmdlet can be used to create a self-signed certificate in Windows 10 (in our example), Windows 8/8.1 and Windows Server 2012/2012 R2.
To create a certificate for the DNS name test.contoso.com and place it in the list of personal certificates on a computer, run the following command:
New-SelfSignedCertificate -DnsName test.contoso.com -CertStoreLocation cert:\LocalMachine\My
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
2779C4900D855B31AAA0Cfe2F6BE1A5C2CA83B30 CN=test.contoso.com
This command creates a certificate and imports it in a personal storage on the computer. Having opened certlm.msc snap-in, make sure that a new certificate has appeared in the Personal section of the certificate storage.
To export the generated certificate as a PFX file with a password, we need its thumbprint, which can be copied from the results of New-SelfSignedCertificate command:
$CertPassword = ConvertTo-SecureString -String “YourPassword” -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\2779C4900D855B31AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\test.pfx -Password $CertPassword
The certificate public key can be exported as follows:
Export-Certificate -Cert Cert:\LocalMachine\My\2779C4900D855B31AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\tstcert.cer
This public key or the certificate file itself can be installed on a web-server or domain clients using GPO (How to install a certificate on a domain PCs using GPO).
One of the useful features of New-SelfSignedCertificate cmdlet is the opportunity to create a certificate with several different names Subject Alternative Names (SAN).
For instance, let’s create a certificate with the following names:
- Subject Name (CN): adfs1.contoso.com
- Subject Alternative Name (DNS): web_gw.contoso.com
- Subject Alternative Name (DNS): enterprise_reg.contoso.com
The command will look like this:
New-SelfSignedCertificate -DnsName adfs1.contoso.com,web_gw.contoso.com,enterprise_reg.contoso.com -CertStoreLocation cert:\LocalMachine\My
Also, you can sign a certificate for the whole namespace in the domain. To do it, specify *.contoso.com as a server name.
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.contoso.com
Hi.
One sentence is not clear:
Note. Unlike MakeCert, New-SelfSifgnedCertificate cmdlet allows to issue only an SSL certificate, which can not be used to sign a driver or an application code.
————————————————
Does this mean that if we are interested in code-signing, that PowerShell cannot be used to generate a certificate?
This is a mistake. New-SelfSignedCertificate cmdlet also can create a code-signing cert this way:
New-SelfSignedCertificate -DnsName dev1.contoso.com -Type CodeSigning
I have been unable to use the New-SelfSignedCertificate cmdlet to create a code-signing cert that can be used to sign Powershell scripts. Whenever I attempt to sign a PS script with my cert using Set-AuthenticodeSignature, it displays Status of UnknownError. However, the certs that I create using makecert work just fine. Has anyone ever attempted to sign a PS script with a cert created by New-SelfSignedCertificate?
Create a new selfsignet cert for code signing:
New-SelfSignedCertificate -DnsName dub-srv1 -Type CodeSigningAdd this cert to Trusted Root section of certmgr.msc console and sign your PS script using this cert:
Set-AuthenticodeSignature C:\Script\yourscript.ps1 @(gci Cert:\LocalMachine\My -DnsName dub-srv1 -codesigning)[0]