How to Create a Self-Signed Certificate with PowerShell

Self-signed certificates are a straightforward method to carry out testing and different much less vital duties. Self-signed certificates wouldn’t have a trusted chain of certificates backing them up and are signed by the consumer who created it. If you belief the entity that signed the certificates then you need to use it simply as you’ll a correctly validated one.

If you want to create a self-signed certificates, a method you are able to do so is with PowerShell. In this text, you’re going to learn the way to create a self-signed certificates in PowerShell.

Table of Contents

Creating a Self-Signed Certificate

To create a self-signed certificates with PowerShell, you need to use the New-SelfSignedCertificate cmdlet. This cmdlet is included within the PKI module.

There are many choices when it comes to creating certificates. Common self-signed certificates varieties are SSLServerAuthentication (default for the cmdlet) and CodeSigning. Also, you’ll be able to create a DocumentEncryptionCert, which may be very helpful for encrypting information, and eventually a Custom certificates that allows you to specify many customized choices.

Let’s go forward and create a common SSLServerAuthentication certificates. This is one which often is used to shield web sites with SSL encryption. You can see an instance of this under. In this instance, the certificates is being saved within the Cert:LocalMachineMy Certificate Store.

$Params = @{
    "DnsName"           = @("","")
    "CertStoreLocation" = "Cert:LocalMachineMy"
    "NotAfter"          = (Get-Date).AddMonths(6)
    "KeyAlgorithm"      = "RSA"
  "KeyLength"         = "2048"

PS C:> New-SelfSignedCertificate @Params

PSParentPath: Microsoft.PowerShell.SecurityCertificate::LocalMachineMy

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
4EFF6B1A0F61B4BG692C77F09889BD151EE8BB58     {Client Authentication, Server Authentication}

If all went properly, you must now have a newly-created certificates! You will discover that the output returns the topic however the topic solely shows the primary merchandise handed to it by way of the DnsName parameter. This is as a result of the second URL turns into a part of the topic alternate checklist.

*Note should you try to run this, not as an Administrator, you’re going to get an error message comparable to under:

New-SelfSignedCertificate: CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM)

As you’ll be able to inform with the Access denied, you don’t but have permission to run this.*

Finding Information on our Certificate

Let’s make certain the certificates was created the best way we anticipated. To discover info on a specific certificates with PowerShell, you need to use the Get-ChildItem cmdlet, simply as you would possibly checklist information in a listing.

PS C:> Get-ChildItem -Path "Cert:LocalMachineMy" | Where-Object Thumbprint -EQ 4EFF6B1A0F61B4BF692C77F09889AD151EE8BB58 | Select-Object *

PSPath                   : Microsoft.PowerShell.SecurityCertificate::LocalMachineMy4EFF6B1A0F61B4BF692C77F09889AD151EE8BB58
PSParentPath             : Microsoft.PowerShell.SecurityCertificate::LocalMachineMy
PSChildName              : 4EFF6B1A0F61B4BF692C77F09889AD151EE8BB58
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.SecurityCertificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Client Authentication (, Server Authentication (}
DnsNameList              : {,}
ShipAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateCompanies.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateCompanies.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName             :
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACng
IssuerTitle               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 6/22/2020 11:50:15 AM
NotBefore                : 12/22/2019 10:40:20 AM
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
UncookedData                  : {48, 130, 3, 55…}
SerialNumber             : 608C4D5E6B8D41B44ADDC6BD725FE264
SignatureAlgorithm       : System.Security.Cryptography.Oid
SubjectTitle              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
Thumbprint               : 4EFF6B1A0F61B4BF692C77F09889AD151EE8BB58
Version                  : 3
Handle                   : 2628421609632
Issuer                   :
Subject                  :

There is a lot of nice info right here, however you might discover within the DnsNameList that each of the websites at the moment are proven. In addition, the NotAfter date is appropriately populated to be 6 months from the date of creation.

Code Signing Certificate

If you’re employed in PowerShell, you’ll learn about execution policies. If you could have an execution coverage set to AllSigned you then would want to signal every script that runs in your system. To create a certificates to do that, it’s fairly easy!

PS C:> New-SelfSignedCertificate -Type 'CodeSigningCert' -DnsName 'MyHost'

PSParentPath: Microsoft.PowerShell.SecurityCertificate::LocalMachineMY

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
14D535EG834370293BA103159EB00876A79959D8  CN=MyHost            Code Signing

Document Protection Certificate

You could not have encountered this a lot earlier than, however PowerShell, with the Data Protection API, can encrypt information in your system utilizing a Document Protection Certificate. Using the New-SelfSignedCertificate cmdlet, we are able to simply make a certificates to encrypt your paperwork.

$Params = @{
    "DnsName"           = "MyHost"
    "CertStoreLocation" = "Cert:CurrentUserMy"
    "KeyUsage"          = "KeyEncipherment","DataEncipherment","KeyAgreement"
    "Type"              = "DocumentEncryptionCert"

PS C:> New-SelfSignedCertificate @Params

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
14D535EG934370293BA203159EB00876A79959D8  CN=MyHost            Document Encryption

With this sort of certificates, now you can use the certificates created to encrypt and decrypt content material utilizing PowerShell instructions like Protect-CMSMessage and UnProtect-CMSMessage.

Encrypting/decrypting content material like this turns into helpful should you want to cross the encrypted information round since you’ll be able to then use this certificates on one other system to decrypt the info. If you depend on the usual Data Protection API (DPAPI) constructed into Windows, then you wouldn’t have the opportunity to decrypt the info on different programs or for different customers.


PowerShell makes creating self-signed certificates extremely straightforward to do. These certificates have a myriad of makes use of, however an vital observe to keep in mind is that they need to solely be utilized in testing. You gained’t have a legitimate certificates belief chain to validate your self-signed certificates.

Seeing how fast and straightforward it’s to create self-signed certificates are, you can begin doing this at this time and correctly encrypting any connections or information that you simply want to!

Source link

This Web site is affiliated with Amazon associates, Clickbank, JVZoo, Sovrn //Commerce, Warrior Plus etc.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *