HowTo: Create Self-Signed Certificates with PowerShell

This is a short post about how to create Self-Signed certificates with the New-SelfSignedCertificate  PowerShell module.  More specifically, this post will cover creating your own Root Certificate, exporting public and PFX certificates, creating certificates signed by your root certificate authority.  Historically you would do this using the old-trusty makecert.exe, but nowadays we can do it straight from powershell! (oh joy!)

Create Root Certificate

Here’s what we are going to do:

  1. Create the certificate;
  2. Define a password string;
  3. Export the certificate in PFX format, and secure it with the password you identified;
  4. Export the public certificate and save it as a .cer file.

So let’s get going.  In your powershell console, type the following (Replacing the dnsname with something relevant to you)

this will result in something along the line of the following being displayed in the console

Microsoft.PowerShell.Security\Certificate::LocalMachine\my

Thumbprint Subject
———- ——-
F81AFDC2A23B8629580374E64871941476E43F02 CN=DC Lab Root Authority

You want to take a note of the thumbprint guid displayed as you will need this later.  In the case above, the thumbprint is F81AFDC2A23B8629580374E64871941476E43F02

You then want to set up a variable a string value as the password

Now, let’s export the root certificate as a PFX file and use the password we just set up.

Great, now you have the PFX file saved, let’s export the public key of your root authority (this is what you will install in “Trusted Root Authorities” for example).  NB: As it’s the only the public certificate we are exporting, you do not need to set a password.

Create Certificates signed by our Root Certificate Authority

Here’s what we are going to do:

  1. Load the root authority certificate into memory;
  2. Create a certificate signed by the root authority;
  3. Define a password string to secure the PFX file;
  4. Export the new certificate as a PFX file;
  5. Export the new certificate as a CRT file

Load the root authority certificate

Load the root authority certificate is as easy as pie.  Below I am using the root cert authority thumbprint discovered above

Create a certificate signed by the root authority

OK, so now we want to create a new certificate, but this time have the root certificate authority sign it.

nb: I am not using a resolvable dnsname in my example, but you can! (such as www.example.com)

This will result in the thumbprint of the new certificate being displayed in the console.  Again, record this thumbprint for use later.

Define a password string

Export the new certificate as a PFX file

Export new certificate public key as a CRT file

Use the following to export the public key of the certificate.

All done !! No makecert.exe or mmc to be seen 🙂

have fun.

DC

ps. For extra fun, here are some other examples

Extra: Create Certificates with Subject Alternative Names (SAN)

New-SelfSignedCertificate -DnsName domain.example.com,anothersubdomain.example.com -CertStoreLocation cert:\LocalMachine\My

Extra: Create Wildcard Certificates

New-SelfSignedCertificate -dnsname *.example.com -certstorelocation cert:\localmachine\my

  • Alon Sim

    few questions please:
    -certstorelocation cert:localmachinemy: what is “cert:localmachinemy”? what other values it can have?

    dnsname: can that be any string? where and how this string is used?