Posted on April 8, 2016 · Posted in Powershell, Windows 10

How To Create Self-Signed Certificate with PowerShell

Most Windows administrators who are familiar with PKI know about the utility MakeCert.exe , which allows to create a self-signed certificate. This tool is included in Microsoft .NET Framework SDK and Microsoft Windows SDK. In Windows 8 and Windows Server 2012, a self-signed certificate can be created using PowerShell 3.0 or higher without any special tools.

To create a self-signed certificate in PowerShell, it is recommended to use New-SelfSignedCertificate cmdlet, being a part of PoSh PKI (Public Key Infrastructure) module:

Here is how to display the list of all cmdlets in module:

Get-Command -Module PKI

Get-Command -Module PKI

Note. Unlike MakeCert, New-SelfSifgnedCertificate cmdlet allows to issue only an SSL certificate, which can not be used to sign a driver or an application code.

A self-signed certificate can be used for testing purposes or to provide certificates to Intranet services (IIS, Exchange, Web Application Proxy, LDAPS, ADRMS, DirectAccess etc.) if on any reason it is impossible to deploy a PKI/CA infrastructure.

To create a certificate, you have to specify the values of –DnsName (DNS name of a server, the name may be arbitrary and different from localhost name) and -CertStoreLocation (a local certificate storage the generated certificate will be placed in). The cmdlet can be used to create a self-signed certificate in Windows 10 (in our example), Windows 8/8.1 and Windows Server 2012/2012 R2.

To create a certificate for the DNS name and place it in the list of personal certificates on a computer, run the following command:

New-SelfSignedCertificate -DnsName -CertStoreLocation cert:\LocalMachine\My

New-SelfSignedCertificate  cmdlet

Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint                               Subject
----------                               -------

This command creates a certificate and imports it in a personal storage on the computer. Having opened certlm.msc snap-in, make sure that a new certificate has appeared in the Personal section of the certificate storage. 

certlm.msc  personal certificate storage

Note. The self-signed certificate is valid within a year since the date it has been created.

To export the generated certificate as a PFX file with a password, we need its thumbprint, which can be copied from the results of New-SelfSignedCertificate command:

$CertPassword = ConvertTo-SecureString -String “YourPassword” -Force –AsPlainText

Export-PfxCertificate -Cert cert:\LocalMachine\My\2779C4900D855B31AAA0Cfe2F6BE1A5C2CA83B30  -FilePath C:\test.pfx -Password $CertPassword


The certificate public key can be exported as follows:

Export-Certificate -Cert Cert:\LocalMachine\My\2779C4900D855B31AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\tstcert.cer

This public key or the certificate file itself can be installed on a web-server or domain clients using GPO (How to install a certificate on a domain PCs using GPO).

One of the useful features of New-SelfSignedCertificate cmdlet is the opportunity to create a certificate with several different names Subject Alternative Names (SAN).

Note. If you create a certificate with several names, the first name in DnsName parameter will be used as CN (Common Name) of a certificate.

For instance, let’s create a certificate with the following names:

  • Subject Name (CN):
  • Subject Alternative Name (DNS):
  • Subject Alternative Name (DNS):

The command will look like this:

New-SelfSignedCertificate -DnsName,, -CertStoreLocation cert:\LocalMachine\My

certificate with several Subject Alternative Name

Also, you can sign a certificate for the whole namespace in the domain. To do it, specify * as a server name.

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *

Related Articles