In this post I introduce a little PowerShell script that lets you quickly create a self-signed certificate.

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

A self-signed certificate is a certificate you sign with your own private key. In contrast, an external public internet certificate authority (CA) signs a public certificate. You can also have your own private CA in which you can issue a private certificate.

Here, we are only concerned about self-signed certificates and creating them with PowerShell. Note that you need at least PowerShell 4 to follow the instructions in this article.

The command below uses the cmdlet New-SelfSignedCertificate to create a certificate and store it in the certificate store of the local machine.

In this example, I use the fully qualified domain name (FQDN) "" You can use the internet domain of your organization.

Creating a self signed certificate with New SelfSignedCertificate

Creating a self signed certificate with New SelfSignedCertificate

Copy the thumbprint to use later on. This is the thumbprint in the example above: AA99819711BB1A0572F15C2C3369DE078A1FCBE3

Next, we store a password into the variable $pw:

The following command uses the Export-PfxCertificate cmdlet and the thumbprint from above to export the certificate to a file.

If you have to follow the procedure often, you can use this little script:

The script uses the Read-Host cmdlet to prompt the user for the certificate name. It then stores the certificate, password, and thumbprint in variables it then uses to export the certificate to a file.

Create a certificate with a PowerShell script

Create a certificate with a PowerShell script

After the script runs, you should see the certificate on your desktop and in the certificate store.

Certificate file on the desktop

Certificate file on the desktop

The certificate in the Certificates snap in

The certificate in the Certificates snap in

By default, the certificate will expire in one year. If you want to specify the certificate expiration, you just have to use the -NotAfter parameter with the New-SelfSignedCertificate cmdlet:

This is the entire script:

Join the 4sysops PowerShell group!

  1. Calli 11 months ago

    Hi, I have seen lot's of examples to create a certificate for internet usage using Powershell.
    But none of the examples shows how do I get a certificate to sin my own PS-scripts on my pc.

    I remember makecert. You first create a root certificate and then the 'user' certifiate to sing the scripts with. I miss the second step so that I can sign a sript with just this script:

    check whether the file is in UTF( and sign it - otherwise give hint what to do
    Sign Single File, enter as Path\Name.ps1, e.g.:
    [CmdletBinding()] Param (
    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string]$FileName,
    [Parameter(Mandatory = $False, ValueFromPipelineByPropertyName = $True)] [int]$Idx=0

    function isUTF8 ( [string]$FileName, [int]$Idx )

    [byte[]]$byte = get-content -Encoding byte -ReadCount 4 -TotalCount 4 -Path $FileName

    if ( $byte[0] -eq 0xef -and $byte[1] -eq 0xbb -and $byte[2] -eq 0xbf ) {
    Write-Output "$FileName`r`nis UTF8, going to sign it using cert. index: $Idx"
    sign $FileName $Idx
    } else {
    Write-Output "$FileName is NOT UTF8!`r`nLoad it in Notepad++ and save it in UTF8 - otherwise it can't be signed"

    function sign ([string]$FileName, [int]$Idx) {
    $cert = @(gci cert:\currentuser\my -codesigning)[$Idx]
    Set-AuthenticodeSignature $FileName $cert

    isUTF8 $FileName $Idx

    Can you give me a hint what to do?



Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2019


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account