Self-signed certificate generator (PowerShell)

DescriptionThis script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

 
 
 
 
 
4.3 Star
(45)
46,985 times
Add to favorites
Security
9/11/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • How to create certificate
    1 Posts | Last post Mon 6:43 AM
    • Hi,
      
      Am new to the creating of certificates. I just follow a tutorial in the net and suggesting to download this and simply paste this:
      
      New-SelfSignedCertificateEx -Subject "CN=Testing" -IsCA $true -Exportable -StoreLocation LocalMachine -StoreName My
      
      but it seems like its incorrect. Can you validate please?
      
      Thank
  • Using this script on Windows 7 and PS 2.0 as admin
    1 Posts | Last post Fri 10:05 PM
    • Hello,
      I need to know how to use this script on my development environment:Windows 7 Pro,PSISE v2.0 (per $PSVersionTable.PSVersion) to create a self signed certificate that is compatible with Chrome 63.
      
      I'm running PS as Administrator used this Command Line:
      New-SelfSignedCertificateEx `
      -Subject "CN=my.localsite.test" `
      -EKU "Server Authentication", "Client Authentication" ` 
      -KU "KeyEncipherment, DigitalSignature, DataEncipherment" `
      -SAN "my.localsite.test","172.20.0.109" `
      -AllowSMIME -Path C:\MyPathTo\Desktop\localsite.pfx `
      -Password (ConvertTo-SecureString "123" -AsPlainText -Force) ` 
      -Exportable
      
      I'm getting this error:
      
      Exception calling "Create" with "0" argument(s): "CertEnroll::CX509PrivateKey::Create: Cannot find object or property. 0x80092004 (-2146885628)"
      At C:\Test\Downloads\New-SelfSignedCertificateEx\New-SelfSignedCertificateEx.ps1:224 char
      :20
      + 	$PrivateKey.Create <<<< ()
          + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : ComMethodTargetInvocation
      
      I'm trying to create a SSC for web development on IIS 7.5 on the above system. IIS 7.5 has the ability to create a SSC but not with SAN data, which apparently Chrome is expecting.
      
      Any help would be greatly appreciated.
  • create self-signed certificates with a graphical user interface
    1 Posts | Last post January 05, 2018
    • To create self-signed certificates easily, you can use this free tool with a graphical user interface: Itiverba Self Signed Certificate Generator: http://www.itiverba.com/en/software/itisscg.php
      
      Like this script, this utility is based on the Microsoft Enrollment API.
  • getting an error on execution
    1 Posts | Last post December 04, 2017
    • Trying to use this on an Exchange server but get this error:
      
      Method invocation failed because [System.Collections.Generic.Dictionary`2+KeyCollection[[System.String, mscorlib, Versi
      on=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=2.0.0.0, Culture=neutra
      l, PublicKeyToken=b77a5c561934e089]]] doesn't contain a method named 'Contains'.
      At C:\Users\administrator.MONTAGE\Downloads\New-SelfSignedCertificateEx.ps1:265 char:38
      +     if ($PSBoundParameters.Keys.Contains <<<< ("IsCA")) {
          + CategoryInfo          : InvalidOperation: (Contains:String) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : MethodNotFound
  • RE: Sign a selfsigned cert with Self Signed RootCA
    1 Posts | Last post November 23, 2017
    • I modified the powershell code to achive my previous request by referring to your blog post on CertEnroll APIs. Thansk for the blog posts.
      https://www.sysadmins.lv/blog-en/introducing-to-certificate-enrollment-apis-part-5-enroll-on-behalf-of.aspx
  • Sign a selfsigned cert with Self Signed RootCA
    1 Posts | Last post November 23, 2017
    • Hi Vadims,
      I see that this script provides a way to create a CA cert with IsCA option, but how do I create a self-signed certificate signed by that CA cert ? I didnt see nay IsssuerCert or Signer Cert option. Is it possible to update this script for that capability ? It would be helpful as I can trust a single CA cert in our team's local machines for development and test environments.
  • Upload to PowerShell Gallery
    3 Posts | Last post August 25, 2017
    • Hi Vadims,
      Would you consider uploading this script to PowerShell Gallery? This would make it more accessible as well as opening it up to being more easily used in automated tests.
      Tx
    • Not yet. I don't consider PowerShell Gallery suitable for standalone scripts.
    • Hi There,
      
      The PS Gallery supports both Modules and stand alone scripts. It was designed with both in mind. See the front page of the Gallery - it specifically calls out Publish-Script, Install-Script, Save-Script etc - which are all designed for standalone scripts.
      
      The reason why this is a much better option than script center is it is far easier for deployment automation and we can also guaranteeing that it is always accessible. FYI, I'm requesting this because we use this over in the Microsoft DSC Resource Kit as part of the test automation and we'd prefer to use a more reliable method of retrieving this than the script center.
      
      Tx
  • Cannot run the script in Windows 2008 with PS51
    1 Posts | Last post August 23, 2017
    • Greetings,
      I was able to run the script and generate self-signed certificate in Windows2012 by importing it (import-mdule .\New-SelfSignedCertificateEx.ps1) then just called the function (New-SelfSignedCertificateEx.ps1 –DnsName <Computer name> -CertStoreLocation “cert:\LocalMachine\My”) with proper output.
      But I am trying to do the same in Windows2008 box and it give me no output and no certificate. I have installed PowerShell 5.1 hoping that I will have all the best for the script but no output, no cert. :/
      Any hints how to properly run it on Win2008?
      Thank you in advance for any feedback!
  • Failing for ECDSA
    1 Posts | Last post August 18, 2017
    • Using [Self-Signed certificate generator][1], when executing the Following Command:
      
          New-SelfsignedCertificateEx -Subject "CN=Test" -EnhancedKeyUsage "Server Authentication" -AlgorithmName ECDSA_P256 -KeyLength 256 -SignatureAlgorithm SHA256 -KeyUsage "DigitalSignature" -Path C:\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable
      
      I get the following error:
      
          New-SelfsignedCertificateEx : CertEnroll::CX509PrivateKey::Create: Invalid flags specified. 0x80090009 (-2146893815 NTE_BAD_FLAGS)
      
      And when I take away the `-KeyLength 256` argument:
      
           New-SelfsignedCertificateEx -Subject "CN=Test" -EnhancedKeyUsage "Server Authentication" -AlgorithmName ECDSA_P256 -SignatureAlgorithm SHA256 -KeyUsage "DigitalSignature" -Path C:\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable
      
      I get the following error
      
          New-SelfsignedCertificateEx : CertEnroll::CX509PrivateKey::Create: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
      
      
        [1]: https://gallery.technet.microsoft.com/scriptcenter/Self-signed-certificate-5920a7c6
  • Trying to generate a certificate for server-client authentication
    1 Posts | Last post July 12, 2017
    • Hi,
      
      I'm to generate self-signed certificate for client-server authentication and export it to a local file. Unfortunately it's failing for me.
      
      The command I'm using is following:
      
      PS C:\Users\Administrator\Desktop\New-SelfSignedCertificateEx> New-SelfsignedCertificateEx -Subject "CN=mydomain.com" -EKU "Server Authentication", "Client Authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "my.subdomain.mydomain.com","mydomain.com","192.168.1.1" -AllowSMIME -Path C:\ssl.pfx -Password (ConvertTo-SecureString "my_secret_password" -AsPlainText -Force) -Exportable -StoreLocation "LocalMachine"
      
      The output is:
      
      New-SelfSignedCertificateEx : Parameter set cannot be resolved using the specified named parameters.
      At line:1 char:1
      + New-SelfsignedCertificateEx -Subject "CN=galway.apcc.com" -EKU "Server Authentic ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [New-SelfSignedCertificateEx], ParameterBindingException
          + FullyQualifiedErrorId : AmbiguousParameterSet,New-SelfSignedCertificateEx
      
      Can I ask what I'm doing wrong?
      
      Any help would be appreciated.
      
      --
      Best regards
      Zbigniew 
      
      
1 - 10 of 53 Items