Self-signed certificate generator (PowerShell)

DescriptionThis script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

4.3 Star
66,289 times
Add to favorites
E-mail Twitter Digg Facebook
  • CA Root Certificate and Domain/Intermediate certificate
    1 Posts | Last post March 01, 2019
    • I have made CA Root certificate with "New-SelfSignedCertificateEx". My problem is how to create domain/server/intermediate certificate which is slave to root?
      Can you help me?
      I have made CA Root Authority certificate. I use power shell instead makecert.exe command. I added into my trusted zone.
      Now I want to create server CN=domain certificate which is extend CA authority. I need to sign and deploy on my IIS. How to do that with ps1 language?
      |-----"My ROOT CA" | |--------"My Slave" (DNS CN=domain.local)
      I thing I need to set "Issued to" and "Issued by".
      "My ROOT CA" Issued to - My ROOT CA Issued by - My ROOT CA
      "My Slave" Issued to - My ROOT CA Issued by - domain.local
  • Certificates with 3072's key size
    1 Posts | Last post December 12, 2018
    • I was able to use the script to generate certificates with 1024, 2048 and 4096 key length, but I can't create one with 3072 key length. 
      Is this a known bug?
  • started script (dot-sourced) but nothing happened
    3 Posts | Last post December 12, 2018
    • Hi,
      great script - but does not work for me. Started it, but no error and no certificate in personal store...tested on 2012R2 and 2008 with execution policy "unrestricted".
      Even if I put a typo in parameters, nothing happens. So there must be a basic error - but which? :-)
      Thank you!
      PS C:\temp> .\New-SelfSignedCertificateEx.ps1 New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "CodeSigning" -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter [datetime]::now.AddYears(5)
    • You didn't import the function correctly. First, dot-source the function:
      . .\New-SelfSignedCertificateEx.ps1
      and then run the command with parameters.
    • Please put this information about dot sourcing, loading, importing, whatever on the main page. It is probably obvious for most people. But people like me just need to generate a certificate. I cannot study powershell just now. After spending 1 hour trying to find out why New-SelfSignedCertificate is not available in my powershell (no support for Windows 7) I downloaded this one and the frustration lasted another hour, because I did not know about this "dot sourcing" thing.
  • error on windows 10
    2 Posts | Last post November 14, 2018
    • I use the script SelfSignedCertificateEx with no problem on windows 2016 server
      The same command
      New-SelfSignedCertificateEx -Subject "CN=WKS002" -EnhancedKeyUsage "Server Authentication" -Exportable -FriendlyName "Test_2 tls sql" -KeySpec Exchange -KeyUsage "KeyEncipherment","DataEncipherment" -NotAfter $([datetime]::now.AddYears(5)) -SignatureAlgorithm SHA256 -SubjectAlternativeName "WKS002"
      executed on my windows 10 pro ends with the following error
      ForEach-Object : CertEnroll::CObjectId::InitializeFromValue: Paramètre incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
      Au caractère C:\utils\bin\New-SelfSignedCertificateEx.ps1:242 : 23
      +         $EnhancedKeyUsage | ForEach-Object {
      +                             ~~~~~~~~~~~~~~~~
          + CategoryInfo          : OperationStopped: (:) [ForEach-Object], ArgumentException
          + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ForEachObjectCommand
      Any help welcome
    • You are using localized OS version, therefore "Server Authentication" name is not valid. either, use OID value or localized name of "Server Authentication".
  • Key not valid for use in specified state
    2 Posts | Last post September 10, 2018
    • For others that might google for weird error message.
      If you see something like "New-SelfSignedCertificateEx : CertEnroll::CX509Enrollment::CreatePFX: Key not valid for use in specified state. 0x80090 00b (-2146893813 NTE_BAD_KEY_STATE)" then it's possible that you forgot to add -exportable parameter.
    • Thank you so much for this hint. Helped me a lot!
  • Code support
    1 Posts | Last post June 04, 2018
    • As of now, I'm no longer supporting this code on TechNet gallery. There are issues with email notifications, so any inquires, questions shall be posted on GitHub:
  • Key Usage Different Options
    2 Posts | Last post June 04, 2018
    • Hi, I only have the option for Key usage [validateSet("Exchange","Signature")].
      I need to generate a certificate where it says "Key Encipherment (20)"
    • You are getting these values for KeySpec parameter, not KeyUsage. And this is expected, as KeySpec accepts only one of two values. For KeyUsage you still can use expected parameters, i.e. "KeyEncipherment".
  • RE: Sign a selfsigned cert with Self Signed RootCA
    2 Posts | Last post April 12, 2018
    • I modified the powershell code to achive my previous request by referring to your blog post on CertEnroll APIs. Thansk for the blog posts.
    • Hi Suhas R.S,
      Do you publish your solution anywhere on your modification?  I'd like to reference it.  Can you share with me? Thanks!
  • New-SelfSignedCertificate?
    2 Posts | Last post April 02, 2018
    • What's the different between New-SelfSignedCertificate and New-SelfSignedCertificateEx?
      Can you not do the same thing with the native powershell New-SelfSignedCertificate?
    • The script was created years before native cmdlet appeared.
  • error on execution
    2 Posts | Last post April 02, 2018
    • Method invocation failed because [System.Collections.Generic.Dictionary`2+KeyCollection[[System.String, mscorlib, Versi
      on=, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=, Culture=neutra
      l, PublicKeyToken=b77a5c561934e089]]] doesn't contain a method named 'Contains'.
      At C:\Users\administrator.MONTAGE\Downloads\New-SelfSignedCertificateEx.ps1:265 char:38
      +     if ($PSBoundParameters.Keys.Contains <<<< ("IsCA")) {
          + CategoryInfo          : InvalidOperation: (Contains:String) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : MethodNotFound
    • You need to run the script in PowerShell 3.0 or higher. Powershell 2.0 is not supported.
1 - 10 of 60 Items