IT:AD:PowerShell:HowTo:Create A Self-Signed Certificate
Summary
Process
Get-Command -Module PKI
Will show you several commands:
CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Add-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Export-Certificate 1.0.0.0 PKI Cmdlet Export-PfxCertificate 1.0.0.0 PKI Cmdlet Get-Certificate 1.0.0.0 PKI Cmdlet Get-CertificateAutoEnrollmentPolicy 1.0.0.0 PKI Cmdlet Get-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Get-CertificateNotificationTask 1.0.0.0 PKI Cmdlet Get-PfxData 1.0.0.0 PKI Cmdlet Import-Certificate 1.0.0.0 PKI Cmdlet Import-PfxCertificate 1.0.0.0 PKI Cmdlet New-CertificateNotificationTask 1.0.0.0 PKI Cmdlet New-SelfSignedCertificate 1.0.0.0 PKI Cmdlet Remove-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Remove-CertificateNotificationTask 1.0.0.0 PKI Cmdlet Set-CertificateAutoEnrollmentPolicy 1.0.0.0 PKI Cmdlet Switch-Certificate 1.0.0.0 PKI Cmdlet Test-Certificate 1.0.0.0 PKI
Create a New Cert
We can use
New-SelfSignedCertificate [-SecurityDescriptor <FileSecurity>] [-TextExtension <String[]>] [-Extension <X509Extension[]>] [-HardwareKeyUsage <HardwareKeyUsage[]>] [-KeyUsageProperty <KeyUsageProperty[]>] [-KeyUsage <KeyUsage[]>] [-KeyProtection <KeyProtection[]>] [-KeyExportPolicy <KeyExportPolicy[]>] [-KeyLength <Int32>] [-KeyAlgorithm <String>] [-SmimeCapabilities] [-ExistingKey] [-KeyLocation <String>] [-SignerReader <String>] [-Reader <String>] [-SignerPin <SecureString>] [-Pin <SecureString>] [-KeyDescription <String>] [-KeyFriendlyName <String>] [-Container <String>] [-Provider <String>] [-CurveExport <CurveParametersExportType>] [-KeySpec <KeySpec>] [-Type <CertificateType>] [-FriendlyName <String>] [-NotAfter <DateTime>] [-NotBefore <DateTime>] [-SerialNumber <String>] [-Subject <String>] [-DnsName <String[]>] [-SuppressOid <String[]>] [-HashAlgorithm <String>] [-AlternateSignatureAlgorithm] [-TestRoot] [-Signer <Certificate>] [-CloneCert <Certificate>] [-CertStoreLocation <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
To make a new cert:
<xxh powershell> New-SelfSignedCertificate -DnsName “localhost”, “localhost” -CertStoreLocation “cert:\LocalMachine\My”
-DnsName “www.fabrikam.com”, “www.contoso.com” -FriendlyName “Shared Dev localhost” -KeyUsageProperty All -NotAfter (Get-Date).AddMonths(84) -KeyExportPolicy Exportable -KeyFriendlyName “Localhost Key” -SignatureAlgorithm SHA512 - StoreLocation Machine (rather than CurrentUser) </sxh>
Create a Cert to File
$pwd = ConvertTo-SecureString -String ‘passw0rd!’ -Force -AsPlainText $cert = New-SelfSignedCertificate -DnsName "localhost" -FriendlyName "DEV Shared Localhost" -HashAlgorithm SHA512 -NotAfter (Get-Date).AddMonths(120)
Export the Cert
The above command installs the cert where located.
To export it to the rest of the team:
$path = 'cert:\LocalMachine\my\' + $cert.thumbprint $pwd = ConvertTo-SecureString -String ‘passw0rd!’ -Force -AsPlainText Export-PfxCertificate -cert $path -FilePath '.\dev-localhost.pfx' -Password $pwd
Chrome
Chrome can be a real cow.
- If it is returning
NET::ERR_CERT_AUTHORITY_INVALID
One option is to type the type the following into a new tab:
chrome://flags/#allow-insecure-localhost
Resources
* https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/new-selfsignedcertificate * http://woshub.com/how-to-create-self-signed-certificate-with-powershell/ * https://stackoverflow.com/questions/43676993/how-do-i-change-my-iis-express-ssl-certificate-for-one-that-will-work-with-chrom