systempeaker_logo_white_with_name-6460170
Envelope

How to create a self-signed certificate with PowerShell

Contents

Powershell logo

Self-signed certificates they are a simple way to perform tests and other less important tasks. Self-signed certificates do not have a reliable chain of certificates to back them up and are signed by the user who created them. If you trust the entity that signed the certificate, you can use it as you would a properly validated one.

If you need to create a self-signed certificate, one way to do it is with PowerShell. In this post, you will learn how to create a self-signed certificate in PowerShell.

Creating a self-signed certificate

To create a self-signed certificate with PowerShell, you can use the New-SelfSignedCertificate cmdlet. This cmdlet is included in the PKI module.

There are many options when creating certificates. Common types of self-signed certificates are SSLServerAuthentication (default for cmdlet) and CodeSigning. At the same time, can create a DocumentEncryptionCert, which is very useful for encrypting files, and finally a Custom certificate that enables you to specify many custom options.

Let's go ahead and create a SSLServerAuthentication certificate. This is one that is generally used to protect websites with SSL encryption. You can see an example of this below. In this example, the certificate is stored in the Cert:LocalMachineMy Certificate Store.

$Params = @{
    "DnsName"           = @("mywebsite.com","www.mywebsite.com")
    "CertStoreLocation" = "Cert:LocalMachineMy"
    "NotAfter"          = (Get-Date).AddMonths(6)
    "KeyAlgorithm"      = "RSA"
  "KeyLength"         = "2048"
}

PS C:> New-SelfSignedCertificate @Params

PSParentPath: Microsoft.PowerShell.SecurityCertificate::LocalMachineMy

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
4EFF6B1A0F61B4BG692C77F09889BD151EE8BB58  CN=mywebsite.com     {Client Authentication, Server Authentication}

If everything went well, You should now have a newly created certificate! You will notice that the output returns the subject, but the subject only shows the first item that has been passed through the DnsName parameter. This is because the second URL becomes part of the alternate list of topics.

* Note that if you try to run this, not as administrator, you will get an error message like the following:

New-SelfSignedCertificate: CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM)

As you can see with him Access denied, you don't have permission to run this yet. *

Find information in our certificate

Let's make sure the certificate was created the way we expected. To find information about a particular certificate with PowerShell, you can use the Get-ChildItem cmdlet, the same way you could list files in a directory.

PS C:> Get-ChildItem -Path "Cert:LocalMachineMy" | Where-Object Thumbprint -EQ 4EFF6B1A0F61B4BF692C77F09889AD151EE8BB58 | Select-Object *

PSPath                   : Microsoft.PowerShell.SecurityCertificate::LocalMachineMy4EFF6B1A0F61B4BF692C77F09889AD151EE8BB58
                           58
PSParentPath             : Microsoft.PowerShell.SecurityCertificate::LocalMachineMy
PSChildName              : 4EFF6B1A0F61B4BF692C77F09889AD151EE8BB58
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.SecurityCertificate
PSIsContainer            : False
EnhancedKeyUsageList     : {Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)}
DnsNameList              : {mywebsite.com, www.mywebsite.com}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName             :
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACng
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 6/22/2020 11:50:15 AM
NotBefore                : 12/22/2019 10:40:20 AM
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 3, 55…}
SerialNumber             : 608C4D5E6B8D41B44ADDC6BD725FE264
SignatureAlgorithm       : System.Security.Cryptography.Oid
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
Thumbprint               : 4EFF6B1A0F61B4BF692C77F09889AD151EE8BB58
Version                  : 3
Handle                   : 2628421609632
Issuer                   : CN=mywebsite.com
Subject                  : CN=mywebsite.com

There is a lot of excellent information here, but it is possible to observe in the DnsNameList now both sites are shown. at the same time, the NotAfter The date is correctly populated to be 6 months from creation date.

Code signing certificate

If you work in PowerShell, meet enforcement policies. If you have an execution policy established in AllSigned then you would need to sign every script running on your system. Create a certificate to do this, It's pretty simple!

PS C:> New-SelfSignedCertificate -Type 'CodeSigningCert' -DnsName 'MyHost'

PSParentPath: Microsoft.PowerShell.SecurityCertificate::LocalMachineMY

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
14D535EG834370293BA103159EB00876A79959D8  CN=MyHost            Code Signing

Document protection certificate

You may not have found this much earlier, pero PowerShell, with the data protection API, you can encrypt files on your system using a Document Protection Certificate. Using the New-SelfSignedCertificate cmdlet, we can easily create a certificate to encrypt your documents.

$Params = @{
    "DnsName"           = "MyHost"
    "CertStoreLocation" = "Cert:CurrentUserMy"
    "KeyUsage"          = "KeyEncipherment","DataEncipherment","KeyAgreement"
    "Type"              = "DocumentEncryptionCert"
}

PS C:> New-SelfSignedCertificate @Params

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
14D535EG934370293BA203159EB00876A79959D8  CN=MyHost            Document Encryption

With this type of certificate, now you can use the created certificate to encrypt and decrypt content using PowerShell commands like Protect-CMSMessage and UnProtect-CMSMessage.

Encrypt / decrypting content like this comes in handy if you need to pass the encrypted data, since you can later use this certificate on another system to decrypt the data. If you trust the standard data protection API (DPAP) integrated in Windows, you will not be able to decrypt the data on other systems or for other users.

Summary

PowerShell makes creating self-signed certificates incredibly easy to do. These certificates have a wide variety of uses, but an important note to remember is that they should only be used in tests. You will not have a valid certificate chain of trust to validate your self-signed certificates.

Seeing how quick and easy it is to create self-signed certificates!, you can start doing this today and properly encrypt any connection or data you need!

Related posts

  1. How to manage open file handles with PowerShell
  2. How to mount your Microsoft OneDrive on Linux
  3. Emulation, virtualization and Docker: What is the difference?
  4. How to run a command before or after a build in Visual Studio
Recent posts
Subscribe to our Newsletter

We will not send you SPAM mail. We hate it as much as you.

Systems always at the Peak

Twitter Facebook-f Youtube Medium

Gaming

Tech

Business

Idiom