Create a self-signed certificate with PowerShell

Home Blog Create a self-signed certificate with PowerShell

4sysops - The online community for SysAdmins and DevOps

    ,   2
In this post I introduce a little PowerShell script that lets you quickly create a self-signed certificate.

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

Latest posts by Tim Buntrock (see all)

A self-signed certificate is a certificate you sign with your own private key. In contrast, an external public internet certificate authority (CA) signs a public certificate. You can also have your own private CA in which you can issue a private certificate.

Here, we are only concerned about self-signed certificates and creating them with PowerShell. Note that you need at least PowerShell 4 to follow the instructions in this article.

The command below uses the cmdlet New-SelfSignedCertificate to create a certificate and store it in the certificate store of the local machine.

In this example, I use the fully qualified domain name (FQDN) "wifi.domain.com." You can use the internet domain of your organization.

Creating a self signed certificate with New SelfSignedCertificate

Creating a self signed certificate with New SelfSignedCertificate

Copy the thumbprint to use later on. This is the thumbprint in the example above: AA99819711BB1A0572F15C2C3369DE078A1FCBE3

Next, we store a password into the variable $pw:

The following command uses the Export-PfxCertificate cmdlet and the thumbprint from above to export the certificate to a file.

If you have to follow the procedure often, you can use this little script:

The script uses the Read-Host cmdlet to prompt the user for the certificate name. It then stores the certificate, password, and thumbprint in variables it then uses to export the certificate to a file.

Create a certificate with a PowerShell script

Create a certificate with a PowerShell script

After the script runs, you should see the certificate on your desktop and in the certificate store.

Certificate file on the desktop

Certificate file on the desktop

The certificate in the Certificates snap in

The certificate in the Certificates snap in

By default, the certificate will expire in one year. If you want to specify the certificate expiration, you just have to use the -NotAfter parameter with the New-SelfSignedCertificate cmdlet:

This is the entire script:

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

5+
Share
2 Comments
  1. Calli 1 year ago

    Hi, I have seen lot's of examples to create a certificate for internet usage using Powershell.
    But none of the examples shows how do I get a certificate to sin my own PS-scripts on my pc.

    I remember makecert. You first create a root certificate and then the 'user' certifiate to sing the scripts with. I miss the second step so that I can sign a sript with just this script:

    <#
    .SYNOPSIS
    check whether the file is in UTF( and sign it - otherwise give hint what to do
    Sign Single File, enter as Path\Name.ps1, e.g.:
    C:\Users\cas\Documents\CentralStation\RawNewsData\LoadAndParse_MQL5_Calendar.ps1
    #>
    [CmdletBinding()] Param (
    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string]$FileName,
    [Parameter(Mandatory = $False, ValueFromPipelineByPropertyName = $True)] [int]$Idx=0
    )

    function isUTF8 ( [string]$FileName, [int]$Idx )
    {

    [byte[]]$byte = get-content -Encoding byte -ReadCount 4 -TotalCount 4 -Path $FileName

    if ( $byte[0] -eq 0xef -and $byte[1] -eq 0xbb -and $byte[2] -eq 0xbf ) {
    Write-Output "$FileName`r`nis UTF8, going to sign it using cert. index: $Idx"
    sign $FileName $Idx
    } else {
    [console]::beep(500,600)
    Write-Output "$FileName is NOT UTF8!`r`nLoad it in Notepad++ and save it in UTF8 - otherwise it can't be signed"
    }
    }

    function sign ([string]$FileName, [int]$Idx) {
    $cert = @(gci cert:\currentuser\my -codesigning)[$Idx]
    Set-AuthenticodeSignature $FileName $cert
    }

    isUTF8 $FileName $Idx

    Can you give me a hint what to do?

     

    0

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *

*

Follow 4sysops

Twitter Facebook Linkedin RSS

Subscribe to post notfications

Leaderboards

Member Leaderboard – Month

Member Leaderboard – Year

Author Leaderboard – 30 Days

Author Leaderboard – Year

Site Wide Activities [RSS]

Viewing 1 - 10 of 10 items
  • Profile picture of Zachary Patterson

    Zachary Patterson liked comment of Derek on Create a list of local administrators with PowerShell. (So far, Derek has 2 likes for this comment.) 4 hours, 21 minutes ago

    Share

  • bahnjee commented on Group logo of PowerShellHow to find a logged-in user remotely using PowerShell 7 hours, 14 minutes ago

    @Todd M,

    I know this is old but to do what you're looking for, use PSLoggedOn.exe from SysInternals (a Microsoft Tool).

    running the command,

    psloggedon PCName

    will return something like:

    PsLoggedon v1.35 - See who's logged on

    Copyright (C) 2000-2016 Mark Russinovich
    Sysinternals - http://www.sysinternals.com

    Users logged on locally:
         11/20/2019 2:50:27 PM      domainusername

    Users logged on via resource shares:
         11/20/2019 4:09:13 PM      domainyourownusername

    Share

  • Ehtisham commented on Excel Get & Transform – Extract information from Active Directory 7 hours, 15 minutes ago

    Hi Ruben,

    Great article and very helpful. I have just one question though. I just noticed one of the groups in not showing all of the user objects. In group there are about 150 users and Excel data is showing 130. Is there a way to re-sync or force to get all of the users.

    Would really appreciate for your help.

    Share
  • Profile picture of Michael C. Cook Sr.

    Michael C. Cook Sr. posted an update 14 hours, 18 minutes ago

    I'm making some radical updates to this project 'Hybrid - Desired State Controller', wanted to showcase this GUI/networking module that will integrate the MDT/Image Factory/PSD Master project in addition to automating the configuration of IIS, DNS, DHCP, and Certificate based services.

    It's still a long way from being complete, however, you can scope out the tool I made for Active Directory Domain Controller Promotion ( DCPromo ).

    Project is located here.
    https://github.com/mcc85s/PSD-Remaster

    This is as PowerShell based/focused as it is a System Administration and Network Security Engineering. (putting my old school MCSE stuff to the test...)

    Will have my website relaunched soon, probably with Blazor. If you haven't heard of Blazor... well, it's sort of like if a ninja had a baby with a viking. Takes 2 cool things like ASP.Net and Razor/WebAssembly, and makes it possible to do C# instead of Javascript. And... I think it's cool cause I don't like JS.

    - MC

    Share

  • TomH commented on Convert Windows Server 2019 Evaluation to the retail edition 16 hours, 49 minutes ago

    Thanks for the reply. I'm reading of folks unable to do the in-place upgrade. And I've seen multiple examples of that, where they tried to do it, and it did not give them the option. Since I'm on, effectively, a trial copy of 2012R2, I think I fall into that category, where it will not allow me to upgrade from eval to eval.

    The quote I get on one response was: You cannot in-place upgrade to a higher version of windows in any of these scenarios from licensed to evaluation, evaluation to licensed, evaluation to evaluation. That makes a kind of sense.

    Again, thanks for the response. Time to reboot my mind and take a different approach.

    Share
  • Profile picture of Vladan Seget

    Vladan Seget commented on Convert Windows Server 2019 Evaluation to the retail edition 17 hours, 43 minutes ago

    Good question, simply download an eval from Microsoft, and then apply the license number you've got when you bought the product.

    Share

  • TomH commented on Convert Windows Server 2019 Evaluation to the retail edition 18 hours, 11 minutes ago

    So if I want to do an in-place upgrade from 2012R2 to 2019, how do I download a copy of 2019 that does that? When I buy the 2019 license 16core, will that include the software or a link to download it?

    Share

  • murat commented on Group logo of PowerShell10 reasons for using PowerShell ISE instead of the PowerShell console 18 hours, 23 minutes ago

    Guys does someone know why a module (PM1) works in ISE but not in the PS Console.

    Its a little script what I wrote to logon on 365 what write the credentials in the registry.

    Don't get error messages.

    Strange thing is that the same script works within the console when I save it as PS1.

    So not working as PM1 but as PS1 no problem. 

    Share

  • Alon Or commented on Group logo of PowerShellInstall fonts with a PowerShell script 18 hours, 23 minutes ago

    I use the following code to install Fonts on remote PCs, no need to logoff or reboot. Tested on 1909.

    #Computers to install fonts to
$ComputerArray = @("Pc1","Pc2","Pc3")
#A Share containing only the fonts you want to install
$FontDir="FileServerSharesHelpdeskSpecialFonts"
#Wil be created on remote Pc if not exists, fonts will be copied here and deleted after install.
$PcStagingDir="c:tools"

foreach ($pc in $ComputerArray) {
If((Test-Connection -ComputerName  $pc -Count  1 -ErrorAction SilentlyContinue) -and ($Winrmstatus=Test-WSMan -ComputerName $pc -ErrorAction SilentlyContinue)) {
$RemotePcStagingDir = "$pc$($PcStagingDir.replace(':','$'))"
$DisabledSvcs=@()
$ServiceName = @("WinRM")
foreach ($svc in $ServiceName) {
        $i=0
        while(((Get-Service -ComputerName $pc -Name $svc -ErrorAction SilentlyContinue).status -ne "Running")-and($i -lt 10)){
            if((Get-Service -ComputerName $pc -Name $svc -ErrorAction SilentlyContinue).StartType -eq "Disabled"){
            Write-Host "Try $i , Setting service $svc StartType to Manual on $pc ..."
            $DisabledSvcs+=$svc
            Set-Service -ComputerName $pc -Name $svc -StartupType Manual -ErrorAction SilentlyContinue}
        Write-Host "Try $i / 10 , Starting $svc Service on $pc ..."
        $commandz="sc "+$pc +" Start "+$svc
        & cmd.exe /c $commandz | Out-Null
        $i++
        sleep 3}
        if($i -ge 10){break}
    }
if($i -ge 10){Write-Host "Could NOT start service $svc, Skipping Computer $pc" -ForegroundColor Red}else{
if ( -not (Test-Path -Path $RemotePcStagingDir)){New-Item -Path $RemotePcStagingDir -ItemType Directory -Force}
$RemoteWinDir=Invoke-Command -ComputerName $pc -ScriptBlock {return $env:windir}
foreach($FontFile in (Get-ChildItem -file -path $FontDir)){
    if(-not(Test-Path "$pc$($RemoteWinDir.replace(':','$'))Fonts$FontFile")){
        Copy-Item "$FontDir$FontFile" -Destination $RemotePcStagingDir -Force
        Invoke-Command -ComputerName $pc -ScriptBlock {
       $filePath="$using:PcStagingDir$using:FontFile"
       $fontRegistryPath = "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionFonts"
       $fontsFolderPath = "$($env:windir)fonts"
    # Create hashtable containing valid font file extensions and text to append to Registry entry name.
    $hashFontFileTypes = @{}
    $hashFontFileTypes.Add(".fon", "")
    $hashFontFileTypes.Add(".fnt", "")
    $hashFontFileTypes.Add(".ttf", " (TrueType)")
    $hashFontFileTypes.Add(".ttc", " (TrueType)")
    $hashFontFileTypes.Add(".otf", " (OpenType)")
    try
    {
        [string]$filePath = (Get-Item $filePath).FullName
        [string]$fileDir  = split-path $filePath
        [string]$fileName = split-path $filePath -leaf
        [string]$fileExt = (Get-Item $filePath).extension
        [string]$fileBaseName = $fileName -replace($fileExt ,"")

        $shell = new-object -com shell.application
        $myFolder = $shell.Namespace($fileDir)
        $fileobj = $myFolder.Items().Item($fileName)
        $fontName = $myFolder.GetDetailsOf($fileobj,21)
        
        if ($fontName -eq "") { $fontName = $fileBaseName }

        copy-item $filePath -destination $fontsFolderPath

        $fontFinalPath = Join-Path $fontsFolderPath $fileName
        if (-not($hashFontFileTypes.ContainsKey($fileExt))){Write-Host "File Extension Unsupported";$retVal = 0}
        if ($retVal -eq 0) {
            Write-Host "Font `'$($filePath)`'`' installation failed on $env:computername" -ForegroundColor Red
            Write-Host ""
            1
        }
        
        else
        {
            Set-ItemProperty -path "$($fontRegistryPath)" -name "$($fontName)$($hashFontFileTypes.$fileExt)" -value "$($fileName)" -type STRING
            Write-Host "Font `'$($filePath)`' $fontName $($hashFontFileTypes.$fileExt) installed successfully on $env:computername" -ForegroundColor Green
        }

    }
    catch
    {
        Write-Host "An error occured installing `'$($filePath)`' on $env:computername" -ForegroundColor Red
        Write-Host "$($error[0].ToString())" -ForegroundColor Red
        $error.clear()
    }
    }
     }
     Remove-Item "$RemotePcStagingDir$FontFile" -ErrorAction SilentlyContinue
}
}
foreach($DisabledSvc in $DisabledSvcs){
    Write-Host "Setting service $DisabledSvc StartType to Disabled on $pc ..."
    Set-Service -ComputerName $pc -Name $DisabledSvc -StartupType Disabled -ErrorAction SilentlyContinue
    $commandz="sc "+$pc +" Stop "+$DisabledSvc
    & cmd.exe /c $commandz | Out-Null
}
}else{if($Winrmstatus){Write-Host "No Connection to Remote Pc $pc" -ForegroundColor Red}Else{Write-Host "No Connection to WinRM service on Remote Pc $pc" -ForegroundColor Red}}
}
    Share
  • Profile picture of tmack

    tmack liked Using PowerShell type accelerators. (So far, This post has 5 likes) 18 hours, 50 minutes ago

    Share
© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account