The most of Windows administrators familiar with PKI know about MakeCert.exe utility, which allows to create a self-signed certificate. This tool is included in Microsoft .NET Framework SDK and Microsoft Windows SDK. In Windows 8 and Windows Server 2012, a self-signed certificate can be created using PowerShell 3.0 or higher without any special tools.
To create a self-signed certificate in PowerShell, it is recommended to use New-SelfSignedCertificate cmdlet, being a part of PoSh PKI (Public Key Infrastructure) module:
Here is how to display the list of all cmdlets in module:
Get-Command -Module PKI
A self-signed certificate can be used for testing purposes or to provide certificates to Intranet services (IIS, Exchange, Web Application Proxy, LDAPS, ADRMS, DirectAccess etc.) if on any reason it is impossible to deploy a PKI/CA infrastructure.
To create a certificate, you have to specify the values of –DnsName (DNS name of a server, the name may be arbitrary and different from localhost name) and -CertStoreLocation (a local certificate storage the generated certificate will be placed in). The cmdlet can be used to create a self-signed certificate in Windows 10 (in our example), Windows 8/8.1 and Windows Server 2012/2012 R2.
To create a certificate for the DNS name test.contoso.com and place it in the list of personal certificates on a computer, run the following command:
New-SelfSignedCertificate -DnsName test.contoso.com -CertStoreLocation cert:\LocalMachine\My
This command creates a certificate and imports it in a personal storage on the computer. Having opened certlm.msc snap-in, make sure that a new certificate has appeared in the Personal section of the certificate storage.
To export the generated certificate as a PFX file with a password, we need its thumbprint, which can be copied from the results of New-SelfSignedCertificate command:
$CertPassword = ConvertTo-SecureString -String “YourPassword” -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\2779C4900D855B31AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\test.pfx -Password $CertPassword
The certificate public key can be exported as follows:
Export-Certificate -Cert Cert:\LocalMachine\My\2779C4900D855B31AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\tstcert.cer
This public key or the certificate file itself can be installed on a web-server or domain clients using GPO (How to install a certificate on a domain PCs using GPO).
One of the useful features of New-SelfSignedCertificate cmdlet is the opportunity to create a certificate with several different names Subject Alternative Names (SAN).
For instance, let’s create a certificate with the following names:
- Subject Name (CN): adfs1.contoso.com
- Subject Alternative Name (DNS): web_gw.contoso.com
- Subject Alternative Name (DNS): enterprise_reg.contoso.com
The command will look like this:
New-SelfSignedCertificate -DnsName adfs1.contoso.com,web_gw.contoso.com,enterprise_reg.contoso.com -CertStoreLocation cert:\LocalMachine\My
Also, you can sign a certificate for the whole namespace in the domain. To do it, specify *.contoso.com as a server name.
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.contoso.com