- Create a self-signed certificate with PowerShell - Thu, Aug 9 2018
- Prevent copying of an Active Directory attribute when duplicating a user account - Thu, Mar 29 2018
- Find and delete unlinked (orphaned) GPOs with PowerShell - Thu, Mar 15 2018
A self-signed certificate is a certificate you sign with your own private key. In contrast, an external public internet certificate authority (CA) signs a public certificate. You can also have your own private CA in which you can issue a private certificate.
Here, we are only concerned about self-signed certificates and creating them with PowerShell. Note that you need at least PowerShell 4 to follow the instructions in this article.
The command below uses the cmdlet New-SelfSignedCertificate to create a certificate and store it in the certificate store of the local machine.
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname wifi.domain.com
In this example, I use the fully qualified domain name (FQDN) "wifi.domain.com." You can use the internet domain of your organization.
Copy the thumbprint to use later on. This is the thumbprint in the example above: AA99819711BB1A0572F15C2C3369DE078A1FCBE3
Next, we store a password into the variable $pw:
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
The following command uses the Export-PfxCertificate cmdlet and the thumbprint from above to export the certificate to a file.
Export-PfxCertificate -cert cert:\localMachine\my\AA99819711BB1A0572F15C2C3369DE078A1FCBE3 -FilePath $env:USERPROFILE\Desktop\Cert.pfx -Password $pw
If you have to follow the procedure often, you can use this little script:
$Certname = Read-Host "Enter Certificate Name" $Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname $pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText $thumbprint = $Cert.Thumbprint
The script uses the Read-Host cmdlet to prompt the user for the certificate name. It then stores the certificate, password, and thumbprint in variables it then uses to export the certificate to a file.
After the script runs, you should see the certificate on your desktop and in the certificate store.
By default, the certificate will expire in one year. If you want to specify the certificate expiration, you just have to use the -NotAfter parameter with the New-SelfSignedCertificate cmdlet:
$YearsToExpire = Read-Host “How many years should this certificate be valid” $Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname -NotAfter (Get-Date).AddYears($YearsToExpire)
This is the entire script:
Subscribe to 4sysops newsletter!
# Create and export a self-signed certificate # Script by Tim Buntrock # Define certificate name $Certname = Read-Host “Enter Certificate Name” # Define expiration $YearsToExpire = Read-Host “How many years should this certificate be valid” Write-Host "Creating Certifcate $Certname" -ForegroundColor Green # Create certificate $Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname -NotAfter (Get-Date).AddYears($YearsToExpire) Write-Host "Exporting Certificate $Certname to $env:USERPROFILE\Desktop\$Certname.pfx" -ForegroundColor Green # Set password to export certificate $pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText # Get thumbprint $thumbprint = $Cert.Thumbprint # Export certificate Export-PfxCertificate -cert cert:\localMachine\my\$thumbprint -FilePath $env:USERPROFILE\Desktop\$Certname.pfx -Password $pw
Hi, I have seen lot’s of examples to create a certificate for internet usage using Powershell.
But none of the examples shows how do I get a certificate to sin my own PS-scripts on my pc.
I remember makecert. You first create a root certificate and then the ‘user’ certifiate to sing the scripts with. I miss the second step so that I can sign a sript with just this script:
Can you give me a hint what to do?
Nice article Tim!
@Calli, if you want to sign your powershell script I suggest you to read this about_signing doc.I’ve published an article on my blog as well if you have some basic examples of code signing with a self-signed certificate.
where have you been hiding this… very well done. nice an concise, and ty for script… handy as I only do this every once in a while and always have to check the powershell commands to get it done.
Thank you very much for the tutorial and script. I used the script to create a signed certificate for a .cat file. When I go on to use the signtool it tells me that "no certificates were found that met all of the given criteria" Do I have to alter you script to fix this?