Self-signed certificate generator (PowerShell)

DescriptionThis script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

4.3 Star
65,047 times
Add to favorites
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Issuing ECC cert not successful
    2 Posts | Last post October 25, 2016
    • Vadims,
        I discussed with you on  Not sure whether this is a more open forum.
      Following the example in the document for using "-AlgorithmName ECDH_P256 -KeyLength 256 -SignatureAlgorithm sha256", the script does not issue the cert but no more error. Just returned to new line.
      When the "-Algorithm ECDH_P256 -KeyLength 256 -SignatureAlgorithm sha256" was removed, the default RSA cert was issued.  
      Any suggestion?
    • Ignore this ... i was testing the wrong script. It issued the ECC cert.
  • Trying to execute New-SelfsignedCertificateEx or New-SelfsignedCertificate
    3 Posts | Last post October 01, 2016
    • I am new in using PowerShell.
      When I try to execute New-SelfsignedCertificateEx or New-SelfsignedCertificate I get this:
      The term 'New-SelfsignedCertificateEx (or New-SelfsignedCertificate)' is recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    • What I am trying to do is to migrate from makecert to New-SelfSignedCertificate
      I used to execute something like this:
      makecert -pe -n "CN=JUAN PEREZ, O=PDV,, C=AR" -ss my -sr CurrentUser -a sha1 -sky exchange -b 01/01/2016 -e 12/12/2018 -eku -in "My Company" -is Root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 name.cer
      Could you please help me? How do I have to write this with New-SelfSignedCertificate? 
      Thanks a lot!
    • You need to dot-source the file first:
      . $path\New-SelfSignedCertificateEx.ps1
      and then run New-SelfSignedCertificateEx command with required parameters.
  • It Just does nothing!
    2 Posts | Last post October 01, 2016
    • I'm trying to generate a SHA256 with SAN and... does nothing.  I've tested the following in a Windows 2012 R2 and a Windows 10 Machine:
      .\New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentication", "Client authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "","webmail.domain.corp","srv.domain.corp","srv" -AllowSMIME -Path C:\myprofile\Downloads\New-SelfSignedCertificateEx\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable -StoreLocation "LocalMachine" -SignatureAlgorithm sha256 -notAfter $([datetime]::now.AddYears(5))
      It just ... go to the next line. 
      I create a new file Copy and paste then remove Signature (because I saw some Certificate validation errors in CAPI Event Log) and run again... nothing!
      Just for the test I tried script examples
      .\New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentication", "Client authentication" `
      	-KeyUsage "KeyEcipherment, DigitalSignature" -SAN "","","" `
      	-StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storae Provider" -AlgorithmName ecdh_256 `
      	-KeyLength 256 -SignatureAlgorithm sha256
      this is my powershell test
      PS C:\myfolder> .\New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentication", "Client authentica
      tion" `
      >> -KeyUsage "KeyEcipherment, DigitalSignature" -SAN "","","" `
      >> -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storae Provider"
      PS C:\myfolder> 
      I don't want to install OpenSSL Aghhhhh my life is so complicated :D
    • You need to dot-source the file first:
      . $path\New-SelfSignedCertificateEx.ps1
      and then run New-SelfSignedCertificateEx command with required parameters.
  • Side Loading UWP Apps
    2 Posts | Last post September 11, 2016
    • Doesn't appear to create a code signing certificate which Visual Studio will accept for a non-store side-loaded UWP app.  The Key Usage is "DigitalSignature" but UWPs expect Enhanced Key Usage "Code Signing".  I don't pretend to understand how all of this works, so maybe it is possible. Just didn't work for me.  
    • Can you show exact command you used?
  • use for client cert
    1 Posts | Last post August 10, 2016
    • TSO
      can the script create client cert (like -in IssuerNameString for makecert.exe?
      want to do this via your script:
      makecert.exe -n "CN=ClientCertificateName" -pe -sky exchange -m 96 -ss My -in "RootCertificateName" -is my -a sha1
      btw, PS 5 seems to finally get the OOTB New-SelfSignedCertificate in a workable state. 
  • Can't see the certificate created in example 1
    2 Posts | Last post July 07, 2016
    • Hello,
      I don't see any Personal folder and corresponding certificate for example 1. Can you provide the path where this certificate should be seen? I am checking in cert:\LocalMachine\ and see no Personal folder. Please help!
    • By default, certificate is installed in the Current User\Personal store. Check cert:\currentuser\my store.
  • Fix parentheses in example 1
    2 Posts | Last post June 28, 2016
    • Hello Vadims, 
      thanks for the script. Your first example is missing parentheses around the date time part, and so it throws error. 
      New-SelfSignedCertificateEx : Cannot process argument transformation on parameter 'NotAfter'. Cannot convert value "[datetime]::now.AddYears" to type "System.DateTime". Error: "Stri
      ng was not recognized as a valid DateTime."
    • I know. The problem is that Editor in the TechNet gallery doesn't work properly in Internet Explorer and I can't edit anything there. I fixed it here:
  • Can we capture its output to a variable ?
    2 Posts | Last post June 28, 2016
    • Hi, 
      I am using this command to generate self signed certificate - 
      New-SelfsignedCertificateEx -Subject "CN=Test" -EKU "Code Signing" -FriendlyName "Test" -StoreLocation LocalMachine
      it works fine and generates certificate silently. It doesn't give any output as 'New-SelfsignedCertificate' does. Is there any way to capture output of this command so that we can store it's thumbprint, otherwise automation is really difficult if there are multiple certificates available with the same subject and friendly name. 
      Lokesh Jangir
    • Currently, there is no way to output the certificate object. It requires some extra code. But I'll think about this.
  • OMG
    1 Posts | Last post June 27, 2016
    • DE-DE!!  Get out of my lab-or-a-tory!!!!!
  • Install to Trusted Root CA Store
    2 Posts | Last post May 11, 2016
    • Great script!  Is there anyway to have this script automatically create the certificate in the LocalMachine -> Trusted Root Certification Authorities and LocalMachine -> Personal stores at the same time??
      I've tried using the parameter "-StoreName My, Root", but it did not work.  I also tried using "-IsCA $true", but this did not work either.  This would be easier than having to manually copy each certificate into the Trusted Root Certification Authorities folder.
    • No, for security reasons it is not supported. Though, the script returns an X509Certificate2 object which can be installed to additional stores if necessary.
31 - 40 of 60 Items