Self-signed certificate generator (PowerShell)

DescriptionThis script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

 
 
 
 
 
4.2 Star
(40)
43,697 times
Add to favorites
Security
9/11/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Upload to PowerShell Gallery
    3 Posts | Last post August 25, 2017
    • Hi Vadims,
      Would you consider uploading this script to PowerShell Gallery? This would make it more accessible as well as opening it up to being more easily used in automated tests.
      Tx
    • Not yet. I don't consider PowerShell Gallery suitable for standalone scripts.
    • Hi There,
      
      The PS Gallery supports both Modules and stand alone scripts. It was designed with both in mind. See the front page of the Gallery - it specifically calls out Publish-Script, Install-Script, Save-Script etc - which are all designed for standalone scripts.
      
      The reason why this is a much better option than script center is it is far easier for deployment automation and we can also guaranteeing that it is always accessible. FYI, I'm requesting this because we use this over in the Microsoft DSC Resource Kit as part of the test automation and we'd prefer to use a more reliable method of retrieving this than the script center.
      
      Tx
  • Cannot run the script in Windows 2008 with PS51
    1 Posts | Last post August 23, 2017
    • Greetings,
      I was able to run the script and generate self-signed certificate in Windows2012 by importing it (import-mdule .\New-SelfSignedCertificateEx.ps1) then just called the function (New-SelfSignedCertificateEx.ps1 –DnsName <Computer name> -CertStoreLocation “cert:\LocalMachine\My”) with proper output.
      But I am trying to do the same in Windows2008 box and it give me no output and no certificate. I have installed PowerShell 5.1 hoping that I will have all the best for the script but no output, no cert. :/
      Any hints how to properly run it on Win2008?
      Thank you in advance for any feedback!
  • Failing for ECDSA
    1 Posts | Last post August 18, 2017
    • Using [Self-Signed certificate generator][1], when executing the Following Command:
      
          New-SelfsignedCertificateEx -Subject "CN=Test" -EnhancedKeyUsage "Server Authentication" -AlgorithmName ECDSA_P256 -KeyLength 256 -SignatureAlgorithm SHA256 -KeyUsage "DigitalSignature" -Path C:\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable
      
      I get the following error:
      
          New-SelfsignedCertificateEx : CertEnroll::CX509PrivateKey::Create: Invalid flags specified. 0x80090009 (-2146893815 NTE_BAD_FLAGS)
      
      And when I take away the `-KeyLength 256` argument:
      
           New-SelfsignedCertificateEx -Subject "CN=Test" -EnhancedKeyUsage "Server Authentication" -AlgorithmName ECDSA_P256 -SignatureAlgorithm SHA256 -KeyUsage "DigitalSignature" -Path C:\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable
      
      I get the following error
      
          New-SelfsignedCertificateEx : CertEnroll::CX509PrivateKey::Create: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
      
      
        [1]: https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6
  • Trying to generate a certificate for server-client authentication
    1 Posts | Last post July 12, 2017
    • Hi,
      
      I'm to generate self-signed certificate for client-server authentication and export it to a local file. Unfortunately it's failing for me.
      
      The command I'm using is following:
      
      PS C:\Users\Administrator\Desktop\New-SelfSignedCertificateEx> New-SelfsignedCertificateEx -Subject "CN=mydomain.com" -EKU "Server Authentication", "Client Authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "my.subdomain.mydomain.com","mydomain.com","192.168.1.1" -AllowSMIME -Path C:\ssl.pfx -Password (ConvertTo-SecureString "my_secret_password" -AsPlainText -Force) -Exportable -StoreLocation "LocalMachine"
      
      The output is:
      
      New-SelfSignedCertificateEx : Parameter set cannot be resolved using the specified named parameters.
      At line:1 char:1
      + New-SelfsignedCertificateEx -Subject "CN=galway.apcc.com" -EKU "Server Authentic ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [New-SelfSignedCertificateEx], ParameterBindingException
          + FullyQualifiedErrorId : AmbiguousParameterSet,New-SelfSignedCertificateEx
      
      Can I ask what I'm doing wrong?
      
      Any help would be appreciated.
      
      --
      Best regards
      Zbigniew 
      
      
  • Description on this technet page shows StoreLocation being used with Path
    3 Posts | Last post July 08, 2017
    • Hi!
      
      Please note that the second example on the description tab of this page shows -StoreLocation being used with -Path.  After a lot of head-scratching, I had to use 30m to plow through all the Q&A to find out I cannot use them together. Please update the document!
      
      Also, this script is handy to get the cert made... do you have pointers that show how to get it copied into the trusted root Certification Authorities folder so it can actually be used? The script kinda should take care of this, because without it the cert won't be trusted.
    • $SourceStoreScope = 'LocalMachine'
      $SourceStorename = 'My'
      
      $SourceStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $SourceStorename, $SourceStoreScope
      $SourceStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
      
      $cert = $SourceStore.Certificates | Where-Object  -FilterScript {
          $_.subject -eq 'CN=yourcertname'
      }
      
      
      $DestStoreScope = 'LocalMachine'
      $DestStoreName = 'root'
      
      $DestStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $DestStoreName, $DestStoreScope
      $DestStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
      $DestStore.Add($cert)
      
      
      $SourceStore.Close()
      $DestStore.Close()
      
    • The script does not appear to create a .cer file which we need to import the public key as a Trusted Certificate Root Authority.
  • Trying to create a Self Signed SAN Cert
    1 Posts | Last post June 27, 2017
    • This is the problem I am running into:
      New-SelfsignedCertificateEx -Subject "CN=child.domain.com" -EKU "Server Authentication", "Client authentication" ` -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "SN1.child.domain.com","SN1.child.domain.com", ` -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storage Provider" -AlgorithmName ecdh_256 ` -KeyLength 256 -SignatureAlgorithm sha256
      New-SelfSignedCertificateEx : Cannot process argument transformation on parameter 'NotBefore'. Cannot convert value "LocalMachine" to type 
      "System.DateTime". Error: "The string was not recognized as a valid DateTime. There is an unknown word starting at index 0."
      At line:1 char:267
      + ... -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storae Provi ...
      +                    ~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidData: (:) [New-SelfSignedCertificateEx], ParameterBindingArgumentTransformationException
          + FullyQualifiedErrorId : ParameterArgumentTransformationError,New-SelfSignedCertificateEx
  • Creating Certs
    1 Posts | Last post May 04, 2017
    • Hi I'm using the following syntax to create a cert but don't seem to get a cert, the command run's without error but yet I don't find my cert anywhere I seem to be pointing at the correct cert store.
      
      .\New-SelfsignedCertificateEx.ps1 -Subject "CN=testproof.domain.com" -EKU "Server Authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "testproof.domain.com" -StoreLocation "LocalMachine\my"
      
      Can someone provide any ideas or an I missing some other parameter?
      
      Also should the command be run on the sub CA server or the server hosting the web site that uses the cert?
      
      I'm trying to at some point replace certs that are not working correctly in Chrome or Firefox for some of our internal websites.
      
      Thanks in advance for any ideas or help you can provide....
  • Seriously, where has the -StoreName option gone?
    2 Posts | Last post April 04, 2017
    • This was asked before, but was answered with a nit-pick on authors spelling. Apologies for my spelling in advance. The latest version of this script as of the time of writing no longer has the -StoreName option. Why, and what can be used instead?
    • It appears that this option was removed because it never worked.
  • Also no errors, also no certificates...
    2 Posts | Last post March 23, 2017
    • I'm running the script and getting no errors and no certificates, have tried Import-Module as described below as well as simply:
      
      .\New-SelfSignedCertificateEx.ps1
      
      from ps in the same directory as the script. I've tried my own parameters as well as the first example and both just do nothing, I've tried exporting to a file and without export. Using ps 5.1, Win10.... Help appreciated.
    • Well I solved this in the end by simply adding the call to the script's function to the script file itself (at the end but before the signature). This now works fine.
      
      Debugging in ISE is also useful to get your head around what it's doing (can use the same script as above).
  • No error, no certificate
    3 Posts | Last post March 22, 2017
    • Running the following command:
      
      .\New-SelfSignedCertificateEx.ps1 -Subject "CN=PowerShell" -eku "Code Signing" -keyspec "Signature" -keyusage "DigitalSignature" -friendlyname "PowerShell Code Signing" -notafter $([datetime]::now.AddYears(10))
      
      But I get no errors, and I get no certificates. Checked CurrentUser\my and LocalMachine\my. Nothing. ???
    • Ran into this same behavior, and solved it by importing the module. Issu following script:
        Import-Module .\New-SelfSignedCertificateEx.ps1
      
      Then run the command without leading "\." and ".ps1" extension:
        New-SelfSignedCertificateEx -Subject ....
      
      
    • Thank you! Importing the script as a module did the trick.
1 - 10 of 47 Items