Self-signed certificate generator (PowerShell)

DescriptionThis script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

4.3 Star
66,077 times
Add to favorites
E-mail Twitter Digg Facebook
  • getting an error on execution
    2 Posts | Last post March 21, 2018
    • Trying to use this on an Exchange server but get this error:
      Method invocation failed because [System.Collections.Generic.Dictionary`2+KeyCollection[[System.String, mscorlib, Versi
      on=, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=, Culture=neutra
      l, PublicKeyToken=b77a5c561934e089]]] doesn't contain a method named 'Contains'.
      At C:\Users\administrator.MONTAGE\Downloads\New-SelfSignedCertificateEx.ps1:265 char:38
      +     if ($PSBoundParameters.Keys.Contains <<<< ("IsCA")) {
          + CategoryInfo          : InvalidOperation: (Contains:String) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : MethodNotFound
    • Tom, How did you resolve this issue? I am getting the same error.
  • How to create certificate
    2 Posts | Last post January 31, 2018
    • Hi,
      Am new to the creating of certificates. I just follow a tutorial in the net and suggesting to download this and simply paste this:
      New-SelfSignedCertificateEx -Subject "CN=Testing" -IsCA $true -Exportable -StoreLocation LocalMachine -StoreName My
      but it seems like its incorrect. Can you validate please?
    • Hi Marc Anthony, You need to import the New-SelfSignedCertificateEx as a module in PowerShell. To do this, after you extract the New-SelfSignedCertificateEx.ps1 from the ZIP archive, open a PowerShell and run `Import-Module .\New-SelfSignedCertificateEx.ps1`
      See here for more information
  • Using this script on Windows 7 and PS 2.0 as admin
    1 Posts | Last post January 19, 2018
    • Hello,
      I need to know how to use this script on my development environment:Windows 7 Pro,PSISE v2.0 (per $PSVersionTable.PSVersion) to create a self signed certificate that is compatible with Chrome 63.
      I'm running PS as Administrator used this Command Line:
      New-SelfSignedCertificateEx `
      -Subject "CN=my.localsite.test" `
      -EKU "Server Authentication", "Client Authentication" ` 
      -KU "KeyEncipherment, DigitalSignature, DataEncipherment" `
      -SAN "my.localsite.test","" `
      -AllowSMIME -Path C:\MyPathTo\Desktop\localsite.pfx `
      -Password (ConvertTo-SecureString "123" -AsPlainText -Force) ` 
      I'm getting this error:
      Exception calling "Create" with "0" argument(s): "CertEnroll::CX509PrivateKey::Create: Cannot find object or property. 0x80092004 (-2146885628)"
      At C:\Test\Downloads\New-SelfSignedCertificateEx\New-SelfSignedCertificateEx.ps1:224 char
      + 	$PrivateKey.Create &lt;&lt;&lt;&lt; ()
          + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : ComMethodTargetInvocation
      I'm trying to create a SSC for web development on IIS 7.5 on the above system. IIS 7.5 has the ability to create a SSC but not with SAN data, which apparently Chrome is expecting.
      Any help would be greatly appreciated.
  • create self-signed certificates with a graphical user interface
    1 Posts | Last post January 05, 2018
    • To create self-signed certificates easily, you can use this free tool with a graphical user interface: Itiverba Self Signed Certificate Generator:
      Like this script, this utility is based on the Microsoft Enrollment API.
  • Sign a selfsigned cert with Self Signed RootCA
    1 Posts | Last post November 23, 2017
    • Hi Vadims,
      I see that this script provides a way to create a CA cert with IsCA option, but how do I create a self-signed certificate signed by that CA cert ? I didnt see nay IsssuerCert or Signer Cert option. Is it possible to update this script for that capability ? It would be helpful as I can trust a single CA cert in our team's local machines for development and test environments.
  • Upload to PowerShell Gallery
    3 Posts | Last post August 25, 2017
    • Hi Vadims,
      Would you consider uploading this script to PowerShell Gallery? This would make it more accessible as well as opening it up to being more easily used in automated tests.
    • Not yet. I don't consider PowerShell Gallery suitable for standalone scripts.
    • Hi There,
      The PS Gallery supports both Modules and stand alone scripts. It was designed with both in mind. See the front page of the Gallery - it specifically calls out Publish-Script, Install-Script, Save-Script etc - which are all designed for standalone scripts.
      The reason why this is a much better option than script center is it is far easier for deployment automation and we can also guaranteeing that it is always accessible. FYI, I'm requesting this because we use this over in the Microsoft DSC Resource Kit as part of the test automation and we'd prefer to use a more reliable method of retrieving this than the script center.
  • Cannot run the script in Windows 2008 with PS51
    1 Posts | Last post August 23, 2017
    • Greetings,
      I was able to run the script and generate self-signed certificate in Windows2012 by importing it (import-mdule .\New-SelfSignedCertificateEx.ps1) then just called the function (New-SelfSignedCertificateEx.ps1 –DnsName <Computer name> -CertStoreLocation “cert:\LocalMachine\My”) with proper output.
      But I am trying to do the same in Windows2008 box and it give me no output and no certificate. I have installed PowerShell 5.1 hoping that I will have all the best for the script but no output, no cert. :/
      Any hints how to properly run it on Win2008?
      Thank you in advance for any feedback!
  • Failing for ECDSA
    1 Posts | Last post August 18, 2017
    • Using [Self-Signed certificate generator][1], when executing the Following Command:
          New-SelfsignedCertificateEx -Subject "CN=Test" -EnhancedKeyUsage "Server Authentication" -AlgorithmName ECDSA_P256 -KeyLength 256 -SignatureAlgorithm SHA256 -KeyUsage "DigitalSignature" -Path C:\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable
      I get the following error:
          New-SelfsignedCertificateEx : CertEnroll::CX509PrivateKey::Create: Invalid flags specified. 0x80090009 (-2146893815 NTE_BAD_FLAGS)
      And when I take away the `-KeyLength 256` argument:
           New-SelfsignedCertificateEx -Subject "CN=Test" -EnhancedKeyUsage "Server Authentication" -AlgorithmName ECDSA_P256 -SignatureAlgorithm SHA256 -KeyUsage "DigitalSignature" -Path C:\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable
      I get the following error
          New-SelfsignedCertificateEx : CertEnroll::CX509PrivateKey::Create: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
  • Trying to generate a certificate for server-client authentication
    1 Posts | Last post July 12, 2017
    • Hi,
      I'm to generate self-signed certificate for client-server authentication and export it to a local file. Unfortunately it's failing for me.
      The command I'm using is following:
      PS C:\Users\Administrator\Desktop\New-SelfSignedCertificateEx> New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentication", "Client Authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "","","" -AllowSMIME -Path C:\ssl.pfx -Password (ConvertTo-SecureString "my_secret_password" -AsPlainText -Force) -Exportable -StoreLocation "LocalMachine"
      The output is:
      New-SelfSignedCertificateEx : Parameter set cannot be resolved using the specified named parameters.
      At line:1 char:1
      + New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentic ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [New-SelfSignedCertificateEx], ParameterBindingException
          + FullyQualifiedErrorId : AmbiguousParameterSet,New-SelfSignedCertificateEx
      Can I ask what I'm doing wrong?
      Any help would be appreciated.
      Best regards
  • Description on this technet page shows StoreLocation being used with Path
    3 Posts | Last post July 08, 2017
    • Hi!
      Please note that the second example on the description tab of this page shows -StoreLocation being used with -Path.  After a lot of head-scratching, I had to use 30m to plow through all the Q&A to find out I cannot use them together. Please update the document!
      Also, this script is handy to get the cert made... do you have pointers that show how to get it copied into the trusted root Certification Authorities folder so it can actually be used? The script kinda should take care of this, because without it the cert won't be trusted.
    • $SourceStoreScope = 'LocalMachine'
      $SourceStorename = 'My'
      $SourceStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $SourceStorename, $SourceStoreScope
      $cert = $SourceStore.Certificates | Where-Object  -FilterScript {
          $_.subject -eq 'CN=yourcertname'
      $DestStoreScope = 'LocalMachine'
      $DestStoreName = 'root'
      $DestStore = New-Object  -TypeName System.Security.Cryptography.X509Certificates.X509Store  -ArgumentList $DestStoreName, $DestStoreScope
    • The script does not appear to create a .cer file which we need to import the public key as a Trusted Certificate Root Authority.
11 - 20 of 60 Items