Create a self-signed certificate with PowerShell

Tim Buntrock Thu, Aug 9 2018 powershell, security 2

In this post I introduce a little PowerShell script that lets you quickly create a self-signed certificate.

About
Latest Posts

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

Latest posts by Tim Buntrock (see all)

Create a self-signed certificate with PowerShell - Thu, Aug 9 2018
Prevent copying of an Active Directory attribute when duplicating a user account - Thu, Mar 29 2018
Find and delete unlinked (orphaned) GPOs with PowerShell - Thu, Mar 15 2018

A self-signed certificate is a certificate you sign with your own private key. In contrast, an external public internet certificate authority (CA) signs a public certificate. You can also have your own private CA in which you can issue a private certificate.

Here, we are only concerned about self-signed certificates and creating them with PowerShell. Note that you need at least PowerShell 4 to follow the instructions in this article.

The command below uses the cmdlet New-SelfSignedCertificate to create a certificate and store it in the certificate store of the local machine.

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname wifi.domain.com

1	New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname wifi.domain.com

In this example, I use the fully qualified domain name (FQDN) "wifi.domain.com." You can use the internet domain of your organization.

Creating a self signed certificate with New SelfSignedCertificate

Copy the thumbprint to use later on. This is the thumbprint in the example above: AA99819711BB1A0572F15C2C3369DE078A1FCBE3

Next, we store a password into the variable $pw:

$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText

1	$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText

The following command uses the Export-PfxCertificate cmdlet and the thumbprint from above to export the certificate to a file.

Export-PfxCertificate -cert cert:\localMachine\my\AA99819711BB1A0572F15C2C3369DE078A1FCBE3 -FilePath $env:USERPROFILE\Desktop\Cert.pfx -Password $pw

1	Export-PfxCertificate -cert cert:\localMachine\my\AA99819711BB1A0572F15C2C3369DE078A1FCBE3 -FilePath $env:USERPROFILE\Desktop\Cert.pfx -Password $pw

If you have to follow the procedure often, you can use this little script:

$Certname = Read-Host "Enter Certificate Name"
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
$thumbprint = $Cert.Thumbprint

$Certname = Read-Host "Enter Certificate Name"

$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname

$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText

$thumbprint = $Cert.Thumbprint

The script uses the Read-Host cmdlet to prompt the user for the certificate name. It then stores the certificate, password, and thumbprint in variables it then uses to export the certificate to a file.

Create a certificate with a PowerShell script

After the script runs, you should see the certificate on your desktop and in the certificate store.

Certificate file on the desktop

The certificate in the Certificates snap in

By default, the certificate will expire in one year. If you want to specify the certificate expiration, you just have to use the -NotAfter parameter with the New-SelfSignedCertificate cmdlet:

$YearsToExpire = Read-Host “How many years should this certificate be valid”
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname -NotAfter (Get-Date).AddYears($YearsToExpire)

1 2	$YearsToExpire = Read-Host “How many years should this certificate be valid” $Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname -NotAfter (Get-Date).AddYears($YearsToExpire)

This is the entire script:

# Create and export a self-signed certificate
# Script by Tim Buntrock

# Define certificate name
$Certname = Read-Host “Enter Certificate Name”
# Define expiration
$YearsToExpire = Read-Host “How many years should this certificate be valid”
Write-Host "Creating Certifcate $Certname" -ForegroundColor Green
# Create certificate
$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname -NotAfter (Get-Date).AddYears($YearsToExpire)
Write-Host "Exporting Certificate $Certname to $env:USERPROFILE\Desktop\$Certname.pfx" -ForegroundColor Green
# Set password to export certificate
$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText
# Get thumbprint
$thumbprint = $Cert.Thumbprint
# Export certificate
Export-PfxCertificate -cert cert:\localMachine\my\$thumbprint -FilePath $env:USERPROFILE\Desktop\$Certname.pfx -Password $pw

# Create and export a self-signed certificate

# Script by Tim Buntrock

# Define certificate name

$Certname = Read-Host “Enter Certificate Name”

# Define expiration

$YearsToExpire = Read-Host “How many years should this certificate be valid”

Write-Host "Creating Certifcate $Certname" -ForegroundColor Green

# Create certificate

$Cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname $Certname -NotAfter (Get-Date).AddYears($YearsToExpire)

Write-Host "Exporting Certificate $Certname to $env:USERPROFILE\Desktop\$Certname.pfx" -ForegroundColor Green

# Set password to export certificate

$pw = ConvertTo-SecureString -String "Pazzword" -Force -AsPlainText

# Get thumbprint

$thumbprint = $Cert.Thumbprint

# Export certificate

Export-PfxCertificate -cert cert:\localMachine\my\$thumbprint -FilePath $env:USERPROFILE\Desktop\$Certname.pfx -Password $pw

Join the 4sysops PowerShell group!

2 Comments

Calli 11 months ago
Hi, I have seen lot's of examples to create a certificate for internet usage using Powershell.
But none of the examples shows how do I get a certificate to sin my own PS-scripts on my pc.
I remember makecert. You first create a root certificate and then the 'user' certifiate to sing the scripts with. I miss the second step so that I can sign a sript with just this script:
<#
.SYNOPSIS
check whether the file is in UTF( and sign it - otherwise give hint what to do
Sign Single File, enter as Path\Name.ps1, e.g.:
C:\Users\cas\Documents\CentralStation\RawNewsData\LoadAndParse_MQL5_Calendar.ps1
#>
[CmdletBinding()] Param (
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string]$FileName,
[Parameter(Mandatory = $False, ValueFromPipelineByPropertyName = $True)] [int]$Idx=0
)
function isUTF8 ( [string]$FileName, [int]$Idx )
{
[byte[]]$byte = get-content -Encoding byte -ReadCount 4 -TotalCount 4 -Path $FileName
if ( $byte[0] -eq 0xef -and $byte[1] -eq 0xbb -and $byte[2] -eq 0xbf ) {
Write-Output "$FileName`r`nis UTF8, going to sign it using cert. index: $Idx"
sign $FileName $Idx
} else {
[console]::beep(500,600)
Write-Output "$FileName is NOT UTF8!`r`nLoad it in Notepad++ and save it in UTF8 - otherwise it can't be signed"
}
}
function sign ([string]$FileName, [int]$Idx) {
$cert = @(gci cert:\currentuser\my -codesigning)[$Idx]
Set-AuthenticodeSignature $FileName $cert
}
isUTF8 $FileName $Idx
Can you give me a hint what to do?

0
Reply
- Paolo Frigo 7 months ago
  Nice article Tim!
  @Calli, if you want to sign your powershell script I suggest you to read this about_signing doc.I've published an article on my blog as well if you have some basic examples of code signing with a self-signed certificate.
  
  0
  Reply

Leave a reply Click here to cancel the reply

Viewing 1 - 10 of 10 items

Wolfgang Sommergut commented on Install an SSL certificate in Windows Admin Center 8 hours, 29 minutes ago
Must have been telepathy 😉
Share
Paolo Maffezzoli posted an update 11 hours, 49 minutes ago
Microsoft Edge Developer channel build 78.0.276.2 is life with new features and improvements | WinCentral
Microsoft has now silently pushed a new build of the Microsoft Edge browser for Windows platform. The latest update to Microsoft Edge comes in the Development channel, not the final version.
Share

pramod commented on Automate Windows updates with Ansible 11 hours, 54 minutes ago

able to ping the machine, but playbook fails at win_update module....


TASK [update packages with excluded list] ***************************************************************************************************************************************************************************************************
task path: /home/svc-gfilinux/test-win-playbook.yml:5
 [WARNING]: ansible_winrm_tranport unsupported by pywinrm (is an up-to-date version of pywinrm installed?)

Using module file /usr/lib/python2.7/site-packages/ansible/modules/windows/win_updates.ps1
<lax-lod-clt12c.csodsandbox.corp> ESTABLISH WINRM CONNECTION FOR USER: svc-gfilanguard@csodmgmt.corp on PORT 5985 TO lax-lod-clt12c.csodsandbox.corp
<lax-lod-clt12c.csodsandbox.corp> WINRM CONNECT: transport=ntlm endpoint=http://lax-lod-clt12c.csodsandbox.corp:5985/wsman
<lax-lod-clt12c.csodsandbox.corp> WINRM OPEN SHELL: 4A3946EB-6161-469C-B4C6-09222C7B89E2
EXEC (via pipeline wrapper)
<lax-lod-clt12c.csodsandbox.corp> WINRM EXEC 'PowerShell' ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Unrestricted', '-']
<lax-lod-clt12c.csodsandbox.corp> WINRM RESULT u'<Response code 1, out "", err "An error occurred wh">'
<lax-lod-clt12c.csodsandbox.corp> WINRM CLOSE SHELL: 4A3946EB-6161-469C-B4C6-09222C7B89E2
fatal: [lax-lod-clt12c.csodsandbox.corp]: FAILED! => {
    "changed": false,
    "module_stderr": "An error occurred while creating the pipeline.rn    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordE rn   xceptionrn    + FullyQualifiedErrorId : RuntimeExceptionrn rnValue does not fall within the expected range.rnAt line:280 char:26rn+ ... g_tasks = @($schedserv.GetRunningTasks(0) | Where-Object { $_.Name -e ...rn+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~rn    + CategoryInfo          : OperationStopped: (:) [], ArgumentExceptionrn    + FullyQualifiedErrorId : System.ArgumentExceptionrn rnrn",
    "module_stdout": "",
    "msg": "MODULE FAILURE",
    "rc": 1
}
        to retry, use: --limit @/home/svc-gfilinux/test-win-playbook.retry

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
lax-lod-clt12c.csodsandbox.corp : ok=1    changed=0    unreachable=0    failed=1

Paolo Maffezzoli liked ManageEngine Desktop Central: Unified endpoint management for Windows, Linux, and Mac. (So far, This post has 1 likes) 14 hours, 8 minutes ago
Share
Paul Schnackenburg wrote a new post, ManageEngine Desktop Central: Unified endpoint management for Windows, Linux, and Mac 16 hours, 43 minutes ago
We looked at Desktop Central 9 back in 2015 here at 4sysops when it was primarily a client management tool. The newest release (10) has grown up to be a complete unified endpoint management (UEM) tool for your Windows, Linux, and Mac computers as well as your Android and iOS devices, Chrome, TV Oss, Apple watch. Gartner has named Desktop Central as one of the best client management tools in 2019.

Share
Paolo Maffezzoli posted an update 17 hours, 10 minutes ago
Windows Admin Center Preview 1909 | Windows Experience Blog
Hello Windows Insiders! Thanks for staying up to date on the Windows Admin Center journey! This release contains incremental changes and quality improvements for the new functionality released in the preceding previews. Specific updates to Packetmon, and a couple visual changes are described below.
Share
Paolo Maffezzoli posted an update 17 hours, 11 minutes ago
Announcing Azure Private Link | Blog | Microsoft Azure
Through the rapidly growing adoption of Azure, customers need to access the data and services privately and securely from their networks grow exponentially. To help with this, were announcing the preview of Azure Private Link.
Share
Paolo Maffezzoli posted an update 17 hours, 37 minutes ago
Windows 10 SDK Preview Build 18980 available now! - Windows Developer Blog
Today, we released a new Windows 10 Preview Build of the SDK to be used in conjunction withWindows 10 Insider Preview(Build 18980 or greater). The Preview SDK Build 18980 contains bug fixes and under development changes to the API surface area. The Preview SDK can be downloaded fromdeveloper section on Windows Insider.
Share
S Mohamad commented on DRS affinity and anti-affinity rules in VMware vSphere 17 hours, 39 minutes ago
Thank you for explain infinity rulls
it is Very complete
Share
Frank commented on Encrypt and decrypt files with PowerShell and PGP 22 hours, 41 minutes ago
If you cannot get it to work you nee to use "Install-GnuPG -DownloadFolderPath 'C:'" which will get you gpg4win-2.2.5.exe, gpg4win-3.1.10.exe will not work.
Share

Tim Buntrock

Latest posts by Tim Buntrock (see all)

Leave a reply Click here to cancel the reply

Follow 4sysops

Subscribe to post notifications

Reviews

Site Wide Activities

Subscribe to post notifications

Follow 4sysops

CONTACT US

Create a self-signed certificate with PowerShell

Tim Buntrock

Latest posts by Tim Buntrock (see all)

Leave a reply Click here to cancel the reply

Follow 4sysops

Subscribe to post notifications

Reviews

Site Wide Activities

Subscribe to post notifications

Follow 4sysops

CONTACT US

Log in with your credentials

Forgot your details?

Create Account