I needed to create a self-signed computer certificate to use for authentication between my Windows Server 2012 Server and Windows Azure. The existing process of using MakeCert.exe was combersome and hard to follow. I wanted to use in a class so it had to be easy and very repeatable. So, I turned to PowerShell. The same process will work for other versions of windows and for communication with other applications. In my case, I am using it for Windows Azure Backup but the steps would be the same for other certificates where you want to have a computer authenticate via a self-signed certificate. With the script, the process is super simple and it was written in such a way that you don’t need to make any changes prior to running the script. In order to achieve this, I need to create the certificate, install it on the local computer and export it to a file so I can then upload it to Windows Azure. All of this can be done by simply copying and pasting the code into an elevated PowerShell Window or elevated PowerShell ISE window (see below for instructions.) You can change the parameters by simply changing two variable at the top of the script and then running it!

 

The two variables are:

  1. Where do you want to store the exported file. ($certfilepath = “c:\”
  2. What you want to call the certificate ($certfilename = “GuruCert_”)

 

 

PowerShell
Edit|Remove
# SelfSignedCertificate.ps1  
# Written By Dan Stolts http://ITProGuru.com/GuruCert   
# Purpose Create, Install and Export a self-signed certificate  
#   In my case, I am using this for my Windows Server 2012 server to Authenticate with Windows Azure Backup 
# Source download Location... http://ITProGuru.com/downloads/SelfSignedCertificate.txt  
# Use at your own risk 
#  Details on Cert options at https://technet.microsoft.com/en-us/library/hh848633.aspx 
#Change Log 8/26/2016 Changed -Provider to accommodate Microsoft changing the name of their provider 
$certfilepath = "c:\"     #Where do you want to export the file to?  Include trailing backslash 
$certfilename = "GuruCert_"  #what name would you like for the cert (used for Certificate Name and Exported Filename) [no extension] 
$certfilename += hostname    # Append the host name to the cert name 
 
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1" 
$name.Encode("CN=" + $certfilename , 0) 
 
# Create a new Private Key 
$key = new-object -com "X509Enrollment.CX509PrivateKey.1" 
$key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" 
$key.KeySpec = 1 
$key.Length = 2048 
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" 
$key.MachineContext = 1 
$key.Create() 
 
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1" 
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.2"$ekuoids = new-object -com "X509Enrollment.CObjectIds.1" 
$ekuoids.add($serverauthoid$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" 
$ekuext.InitializeEncode($ekuoids) 
 
# Create a new Certificate from key 
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" 
$cert.InitializeFromPrivateKey(2, $key""$cert.Subject = $name 
$cert.Issuer = $cert.Subject 
$cert.NotBefore = get-date 
$cert.NotAfter = $cert.NotBefore.AddDays(900) 
$cert.X509Extensions.Add($ekuext$cert.Encode() 
 
# Create Enrollement; Install Certifiate 
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" 
$enrollment.InitializeFromRequest($cert$certdata = $enrollment.CreateRequest(0) 
$enrollment.InstallResponse(2, $certdata, 0, "") 
 
# Let user know the certificate is now installed 
Write "The following <$certfilename> certs are now installed..." 
dir -recurse cert:\localmachine\My | Where-Object { $_.Subject -eq ("CN=" + $certfilename)} | Format-Table subject, thumbprint, notbefore -AutoSize 
 
# Get the thumbprint from the last created certificate of the name we just created - so we can export it to a file 
$thumbprint=(dir cert:\localmachine\My -recurse | where {$_.Subject -match "CN=" + $certfilename| Select-Object -Last 1).thumbprint 
Write  "Exporting cert:\LocalMachine\My\$thumbprint to $certfilepath$certfilename.cer ... " 
dir cert:\localmachine\My -recurse | where {$_.thumbprint -match $thumbprint# Display the certificate we will be exporting 
 
# Do the export - This is the PUBLIC key 
$filelocation = $certfilepath ; $filelocation +$certfilename$filelocation +=(".cer"# Concatinate the destination filename and path 
 
Export-certificate -FilePath $filelocation -Cert cert:\localmachine\My\$thumbprint 
Write "The certificate that was just installed/exported is: cert:\LocalMachine\My\$thumbprint $filelocation" 
 
# 
# Special Thanks to:  
#     Vishal Agarwal for his work at http://blogs.technet.com/b/vishalagarwal/archive/2009/08/22/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces.aspx  
#     Steve Wiseman for his work at http://www.networksteve.com/?p=7839  
#  Their work was helpful in me figuring all this out 
# Thanks for using scripts created by ITProGuru.com  
 
It does not look that simple right? Well that is because it is doing plenty. However, all you have to do is paste into a PowerShell command window and watch the magic. If you do want to tweak it; like changing the name of the cert or the output location… You can ignore all the lines that start with a pound (#) they are just comments. Then it is the first two or three lines of the script that you have to change to put in your own values.

Step-By-Step

  1. Run PowerShell elevated from the machine you want to create certificate on: To run any application with elevated privileges (as Administrator) simply right-click on that program from the menu and select Run as Administrator.  Step-By-Step: Start then type PowerShell then Right-Click on PowerShell icon and select Run as Administrator.  This is also known as Administrative Permissions.
  2. Highlight the code between the lines above; right-click select copy (or click Copy Code Link)
  3. Right-click the PowerShell window to paste and watch the magic…
  4. Navigate to c:\ to see your new certificate which will be called “GuruCert_YourMachineName”

 

If you want to see the certificate in the store after it is installed:

Press clip_image002-W; type Cert; Click Manage Computer Certificates; click Yes on user access control; Expand… Certificates – Local Computer – PersonalCertificates. Double-Click the cert to open it.

 

 

If you found this helpful, please Tweet:

Thanks @ITProGuru for #PowerShell How To Create A Self-Signed Computer Certificate using PowerShell Step-By-Step http://aka.ms/GuruCert

 

For more detailed instruction on how to run PowerShell Elevated visit:

How To Run Any Program Including PowerShell With Elevated Privileges (AKA Administrator Permissions)

PowerShell Source:

Downloadable .TXT version of script can be found at: http://ITProGuru.com/downloads/SelfSignedCertificate.txt

 

Source Blog Post

How To Create A Self-Signed Computer Certificate using PowerShell Step-By-Step; Much Easier Than MakeCert.exe by ITProGuru Dan Stolts

 

Experience Microsoft’s latest products with FREE downloads!