In this post I introduce a little PowerShell script that lets you quickly create a self-signed certificate.

A self-signed certificate is a certificate you sign with your own private key. In contrast, an external public internet certificate authority (CA) signs a public certificate. You can also have your own private CA in which you can issue a private certificate.

Here, we are only concerned about self-signed certificates and creating them with PowerShell. Note that you need at least PowerShell 4 to follow the instructions in this article.

The command below uses the cmdlet New-SelfSignedCertificate to create a certificate and store it in the certificate store of the local machine.

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname wifi.domain.com

In this example, I use the fully qualified domain name (FQDN) "wifi.domain.com." You can use the internet domain of your organization.

Creating a self signed certificate with New SelfSignedCertificate

Creating a self signed certificate with New SelfSignedCertificate

Copy the thumbprint to use later on. This is the thumbprint in the example above: AA99819711BB1A0572F15C2C3369DE078A1FCBE3

Next, we store a password into the variable $pw:

$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText

The following command uses the Export-PfxCertificate cmdlet and the thumbprint from above to export the certificate to a file.

Export-PfxCertificate -cert cert:\localMachine\my\AA99819711BB1A0572F15C2C3369DE078A1FCBE3 -FilePath $env:USERPROFILE\Desktop\Cert.pfx -Password $pw

If you have to follow the procedure often, you can use this little script:

$Certname = Read-Host "Enter Certificate Name"
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint

The script uses the Read-Host cmdlet to prompt the user for the certificate name. It then stores the certificate, password, and thumbprint in variables it then uses to export the certificate to a file.

Create a certificate with a PowerShell script

Create a certificate with a PowerShell script

After the script runs, you should see the certificate on your desktop and in the certificate store.

Certificate file on the desktop

Certificate file on the desktop

The certificate in the Certificates snap in

The certificate in the Certificates snap in

By default, the certificate will expire in one year. If you want to specify the certificate expiration, you just have to use the -NotAfter parameter with the New-SelfSignedCertificate cmdlet:

$YearsToExpire = Read-Host “How many years should this certificate be valid”
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname -NotAfter (Get-Date).AddYears($YearsToExpire)

This is the entire script:

Subscribe to 4sysops newsletter!

# Create and export a self-signed certificate
# Script by Tim Buntrock

# Define certificate name
$Certname = Read-Host “Enter Certificate Name”
# Define expiration
$YearsToExpire = Read-Host “How many years should this certificate be valid”
Write-Host "Creating Certifcate $Certname" -ForegroundColor Green
# Create certificate
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname -NotAfter (Get-Date).AddYears($YearsToExpire)
Write-Host "Exporting Certificate $Certname to $env:USERPROFILE\Desktop\$Certname.pfx" -ForegroundColor Green
# Set password to export certificate
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
# Get thumbprint
$thumbprint = $Cert.Thumbprint
# Export certificate
Export-PfxCertificate -cert cert:\localMachine\my\$thumbprint -FilePath $env:USERPROFILE\Desktop\$Certname.pfx -Password $pw
4 Comments
  1. Calli 3 years ago

    Hi, I have seen lot's of examples to create a certificate for internet usage using Powershell.
    But none of the examples shows how do I get a certificate to sin my own PS-scripts on my pc.

    I remember makecert. You first create a root certificate and then the 'user' certifiate to sing the scripts with. I miss the second step so that I can sign a sript with just this script:

    <#
    .SYNOPSIS
    check whether the file is in UTF( and sign it - otherwise give hint what to do
    Sign Single File, enter as Path\Name.ps1, e.g.:
    C:\Users\cas\Documents\CentralStation\RawNewsData\LoadAndParse_MQL5_Calendar.ps1
    #>
    [CmdletBinding()] Param (
    [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string]$FileName,
    [Parameter(Mandatory = $False, ValueFromPipelineByPropertyName = $True)] [int]$Idx=0
    )

    function isUTF8 ( [string]$FileName, [int]$Idx )
    {

    [byte[]]$byte = get-content -Encoding byte -ReadCount 4 -TotalCount 4 -Path $FileName

    if ( $byte[0] -eq 0xef -and $byte[1] -eq 0xbb -and $byte[2] -eq 0xbf ) {
    Write-Output "$FileName`r`nis UTF8, going to sign it using cert. index: $Idx"
    sign $FileName $Idx
    } else {
    [console]::beep(500,600)
    Write-Output "$FileName is NOT UTF8!`r`nLoad it in Notepad++ and save it in UTF8 - otherwise it can't be signed"
    }
    }

    function sign ([string]$FileName, [int]$Idx) {
    $cert = @(gci cert:\currentuser\my -codesigning)[$Idx]
    Set-AuthenticodeSignature $FileName $cert
    }

    isUTF8 $FileName $Idx

    Can you give me a hint what to do?

     

  2. Justin Mann 2 years ago

    where have you been hiding this... very well done. nice an concise, and ty for script... handy as I only do this every once in a while and always have to check the powershell commands to get it done.

     

  3. Mason Keresty 1 year ago

    Thank you very much for the tutorial and script. I used the script to create a signed certificate for a .cat file. When I go on to use the signtool it tells me that "no certificates were found that met all of the given criteria" Do I have to alter you script to fix this?

    c:\Program Files (x86)\Windows Kits\10\App Certification Kit> signtool sign /debug /f c:\Users\MasonKeresty\Desktop\servocert.pfx /p Pazzword (mydllexectuable).exe
    
    The following certificates were considered:
        Issued to: servocert
        Issued by: servocert
        Expires:   Thu Oct 21 15:36:17 2021
        SHA1 hash: <myhash>
    
    After EKU filter, 0 certs were left.
    After expiry filter, 0 certs were left.
    After Private Key filter, 0 certs were left.
    SignTool Error: No certificates were found that met all the given criteria.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account