HowTo: Create Self-Signed Certificates with PowerShell

This is a short post about how to create Self-Signed certificates with the New-SelfSignedCertificate  PowerShell module.  More specifically, this post will cover creating your own Root Certificate, exporting public and PFX certificates, creating certificates signed by your root certificate authority.  Historically you would do this using the old-trusty makecert.exe, but nowadays we can do it straight from powershell! (oh joy!)

Create Root Certificate

Here’s what we are going to do:

  1. Create the certificate;
  2. Define a password string;
  3. Export the certificate in PFX format, and secure it with the password you identified;
  4. Export the public certificate and save it as a .cer file.

So let’s get going.  In your powershell console, type the following (Replacing the dnsname with something relevant to you)

this will result in something along the line of the following being displayed in the console


Thumbprint Subject
———- ——-
F81AFDC2A23B8629580374E64871941476E43F02 CN=DC Lab Root Authority

You want to take a note of the thumbprint guid displayed as you will need this later.  In the case above, the thumbprint is F81AFDC2A23B8629580374E64871941476E43F02

You then want to set up a variable a string value as the password

Now, let’s export the root certificate as a PFX file and use the password we just set up.

Great, now you have the PFX file saved, let’s export the public key of your root authority (this is what you will install in “Trusted Root Authorities” for example).  NB: As it’s the only the public certificate we are exporting, you do not need to set a password.

Create Certificates signed by our Root Certificate Authority

Here’s what we are going to do:

  1. Load the root authority certificate into memory;
  2. Create a certificate signed by the root authority;
  3. Define a password string to secure the PFX file;
  4. Export the new certificate as a PFX file;
  5. Export the new certificate as a CRT file

Load the root authority certificate

Load the root authority certificate is as easy as pie.  Below I am using the root cert authority thumbprint discovered above

Create a certificate signed by the root authority

OK, so now we want to create a new certificate, but this time have the root certificate authority sign it.

nb: I am not using a resolvable dnsname in my example, but you can! (such as

This will result in the thumbprint of the new certificate being displayed in the console.  Again, record this thumbprint for use later.

Define a password string

Export the new certificate as a PFX file

Export new certificate public key as a CRT file

Use the following to export the public key of the certificate.

All done !! No makecert.exe or mmc to be seen 🙂

have fun.


ps. For extra fun, here are some other examples

Extra: Create Certificates with Subject Alternative Names (SAN)

New-SelfSignedCertificate -DnsName, -CertStoreLocation cert:\LocalMachine\My

Extra: Create Wildcard Certificates

New-SelfSignedCertificate -dnsname * -certstorelocation cert:\localmachine\my

  • Alon Sim

    few questions please:
    -certstorelocation cert:localmachinemy: what is “cert:localmachinemy”? what other values it can have?

    dnsname: can that be any string? where and how this string is used?

  • Manoj Maity

    Hello there, I have created root certificate and the other certificate, which acts as both client and server certificate.
    When i created https binding in windows IIS, using the other certificate, it gets hosted normally with ssl settings as Require SSL option checked .
    But when i use that same certificate as client certificate and add into chrome certificate list, it gives an error of “HTTP Error 403.7 – Forbidden
    The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.”

    Any help shall be appreciated.


  • Simon Weaver

    Finally! Finding your article is long overdue. Sick and tired of finding articles telling me to use makecert or openssl like Windows is a second class citizen.

  • Simon Weaver

    There’s two very important things missing. For the CA you need to add -KeyUsage DigitalSignature,CertSign – or else browsers won’t recognize the cert as valid. For the self signed (child) cert you need to add -KeyUsage KeyEncipherment,DigitalSignature as a parameter. In addition if you don’t want it expiring after a year you need to add -NotAfter (Get-Date).AddYears(10)