Description

This script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

The script is intended for test environments to ensure that particular application is properly configured to use digital certificates before the application is deployed in a production environment.

The self-signed certificate generator consist of a single PowerShell function named "New-SelfSignedCertificateEx". Import the function in to current PowerShell session and call the function with desired parameters.

Script parameters

The script defines the following parameters:

And here are several useful examples:

Examples

Creates a self-signed certificate intended for code signing and which is valid for 5 years. Certificate is saved in the Personal store of the current user account:

 

PowerShell
Edit|Remove
New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Signature" ` 
-KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter $([datetime]::now.AddYears(5))
Creates a self-signed SSL certificate with multiple subject names and saves it to a file. Additionally, the certificate is saved in the Personal store of the Local Machine store. Private key is marked as exportable, so you can export the certificate with a associated private key to a file at any time. The certificate includes SMIME capabilities:

 

 

PowerShell
Edit|Remove
New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication""Client authentication" ` 
-KeyUsage "KeyEncipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" ` 
-AllowSMIME -Path C:\test\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable ` 
-StoreLocation "LocalMachine"
Creates a self-signed SSL certificate with multiple subject names and saves it to a file. Additionally, the certificate is saved in the Personal store of the Local Machine store. Private key is marked as exportable, so you can export the certificate with a associated private key to a file at any time. Certificate uses Elliptic Curve Cryptography (ECC) key algorithm ECDH with 256-bit key. The certificate is signed by using SHA256 algorithm:
PowerShell
Edit|Remove
New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication""Client authentication" ` 
-KeyUsage "KeyEncipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" ` 
-StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storae Provider" -AlgorithmName ecdh_256 ` 
-KeyLength 256 -SignatureAlgorithm sha256
Generates self-signed certificate for CA. Actually, this example creates a root CA certificate which is valid for 5 years:
PowerShell
Edit|Remove
New-SelfsignedCertificateEx -Subject "CN=Test Root CA, OU=Sandbox"-IsCA $true-ProviderName ` 
"Microsoft Software Key Storage Provider"-Exportable

 

Feedback

If you found bugs, have suggestions or questions, you are welcome in Q&A section.