Self-signed certificate generator (PowerShell)

DescriptionThis script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

4.3 Star
65,031 times
Add to favorites
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Signing with a local CA
    4 Posts | Last post May 10, 2016
    • If you create a CA, as per the last example, how do you then create certificates that are signed with this CA rather than self-signed?
    • Unfortunately, your question is not covered by this script, as it deals only with self-signed certificates. Certificate signing by external CA is an OOB process.
    • By OOB do you mean out-of-band? I understand that being the case when submitting requests to CA over the network, but if the CA certificate is installed on the same machine, surely it is possible to sign it synchronously? Makecert could do this with the -sv option.
    • Yes, I mean out-of-band. No, currently there is no such functionality. This may appear in future versions.
  • Publish on PSGallery
    1 Posts | Last post April 14, 2016
    • Now that the new PS Gallery ( is live and supports scripts (as well as modules), it would be fantastic if this awesome script was made available there too.
      That way it could be downloaded using:
      install-script New-SelfSignedCertificateEx 
      on any WMF 5.0 machine (or WMF 4.0 with OneGet installed).
  • I don't understand how to execute
    14 Posts | Last post February 26, 2016
    • Hi, iam trying to establish the connection between AWS windows 2008r2 server and my local machine through winrm for that iam creating Self-signed certificate, I dont understand how would i execute the powershell script shall i run manually "New-SelfSignedCertificateEx.ps1"
      or shall i specify the path.
      Please can you tell me what are the steps!
      Many Thanks...
    • You need to dot-source the file first:
      . $path\New-SelfSignedCertificateEx.ps1
      and then run New-SelfSignedCertificateEx command with required parameters.
    • Hi, I'm unable to dot-source the file, below is the error.
      PS C:\> . "C:\Users\Administrator\Desktop\New-SelfsignedCertificateEx.ps1"
      . : File C:\Users\Administrator\Desktop\New-SelfsignedCertificateEx.ps1 cannot be loaded because running scripts is
      disabled on this system. For more information, see about_Execution_Policies at
      At line:1 char:3
      + . "C:\Users\Administrator\Desktop\New-SelfsignedCertificateEx.ps1"
      +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : SecurityError: (:) [], PSSecurityException
          + FullyQualifiedErrorId : UnauthorizedAccess
      PS C:\> 
    • By default, PowerShell do not allow script execution due to its execution policy. You have to modify PowerShell execution policy as follows:
      Set-ExecutionPolicy RemoteSigned
    • Thanq vadims, i've dot-sourced the file but getting below error:
      New-SelfSignedCertificateEx : Parameter set cannot be resolved using the specified named parameters.
      At line:1 char:1
      + New-SelfsignedCertificateEx -Subject " ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [New-SelfSignedCertificateEx], ParameterBindingException
          + FullyQualifiedErrorId : AmbiguousParameterSet,New-SelfSignedCertificateEx
    • can you post full command?
    • command:
      New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentication", "Client authentication" ` -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "","","" ` -StoreLocation "LocalMachine" -Path C:\test\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -ProviderName "Microsoft Software Key Storage Provider" -AlgorithmName ecdh_256 `  -KeyLength 256 -SignatureAlgorithm sha256
    • Try to remove "-StoreLocation" parameter and add "-Exportable" switch.
    • Thank you. You’re so helpful !
      My Command :  New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentication", "Client authentication" ` -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "","","" `  -ProviderName "Microsoft Software Key Storage Provider" -AlgorithmName ecdh_P256 `  -KeyLength 256 -SignatureAlgorithm sha256 -Exportable
      After Removing : -StoreLocation "LocalMachine" -Path C:\test\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force)  working fine.
      there is no issues ! But my question is, i want execute below command will it work ? what shud i give in place of -CertStoreLocation.
      $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName 'HOSTNAME'
    • Hi, while executing the below command im getting this error, please look into it.
      $cert = New-SelfSignedCertificate ssc -CertStoreLocation Cert:\LocalMachine\My -DnsName ''
      PS C:\> $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName ''
      New-SelfSignedCertificate : The term 'New-SelfSignedCertificate' is not recognized as the name of a cmdlet, function,
      script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
      correct and try again.
      At line:1 char:9
      + $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsN ...
      +         ~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (New-SelfSignedCertificate:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
    • Hi..
      can you please give me a solution. 
    • the right command name is "New-SelfSignedCertificateEx".
    • Hi, How i can give specify -CertificateThumbPrint switch as a parameter.
    • Thanq! now it is working. 
  • doesn't contain a method named 'Contains'
    3 Posts | Last post February 19, 2016
    • I keep getting this error after executing the following:
      New-SelfsignedCertificateEx -Subject "CN=Abbxxxxxxx CA, OU=ICT" -IsCA $true -ProviderName "Microsoft Software Key Storage Provider" -Exportable
      Method invocation failed because [System.Collections.Generic.Dictionary`2+KeyCollection[[System.String, mscorlib, Versi
      on=, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=, Culture=neutra
      l, PublicKeyToken=b77a5c561934e089]]] doesn't contain a method named 'Contains'.
      At C:\PowerShell\New-SelfSignedCertificateEx.ps1:266 char:38
      +     if ($PSBoundParameters.Keys.Contains <<<< ("IsCA")) {
          + CategoryInfo          : InvalidOperation: (Contains:String) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : MethodNotFound
      Name                           Value
      ----                           -----
      CLRVersion                     2.0.50727.5485
      BuildVersion                   6.1.7601.17514
      PSVersion                      2.0
      WSManStackVersion              2.0
      PSCompatibleVersions           {1.0, 2.0}
      PSRemotingProtocolVersion      2.1
      Id appreciate any assistance you can provide.
    • My bad. Upgrading to PowerShell 4 resolved this issue.
    • This is an issue in the PowerShell 2.0. It is no longer supported by the code. You can run the code on PowerShell 3.0 or newer.
  • Path and Password switches are not working.Hi
    2 Posts | Last post January 06, 2016
    • Thank you for this wonderful script. This has solved my problem to create encryption certificates for my scripting. While the normal switches are working fine, the Path and Password switches are not working. I am executing the script from an elevated window. Below is the details of my error.
      PS C:\New-SelfSignedCertificateEx> New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentica
      tion", "Client authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "","","" -AllowSMIME -Path C:\test\ssl.pfx -Password (Conve
      rtTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable -StoreLocation "LocalMachine"
      New-SelfSignedCertificateEx : Parameter set cannot be resolved using the specified named parameters.
      At line:1 char:1
      + New-SelfsignedCertificateEx -Subject "" -EKU "Server ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidArgument: (:) [New-SelfSignedCertificateEx], ParameterBindingException
          + FullyQualifiedErrorId : AmbiguousParameterSet,New-SelfSignedCertificateEx
      If I remove the -Path and -Password switches, everything works fine. I picked the examples that you gave. Kindly help
    • "-StoreLocation" parameter is not compatible with "-Path" and "-Password", as they belong to different parametersets.
  • Typos in Example 3 ECDH certificates
    3 Posts | Last post December 16, 2015
    • 1. Line 53: Parameter help should be "KeyUsage" instead of "KeyUsages"
      2. Line 142: Example 3 specifies the AlgorithmName as "ecdh_256". It needs to be "ecdh_P256" otherwise you will receive an error:
      CertEnroll::CObjectId::InitializeFromValue: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
      3. Line 142: Example 3 reads "Microsoft Software Key Storae Provider", which should be "Microsoft Software Key Storage Provider"
    • thanks for report, I'll fix this.
    • Even with these fixes, I still can't get example 3 to work.  I always get "The parameter is incorrect. 0x80070057 (WIN32: 87)" on line 347 ("$PrivateKey.ExportPolicy") anytime I set ProviderName to "Microsoft Software Key Storage Provider".  Any suggestions?
  • Use a different Issuer (i.e. non-selfsigned certificate)
    2 Posts | Last post December 03, 2015
    • Hi Vadims,
      First of all, great script, it has really proven useful to me.
      One thing I have been doing with makecert.exe though which does not seem to be supported by this script is using another issuer for the certificate which could be accomplished using the -ic and -iv switches in makecert.
      Would you know how this can be done using the X509Enrollment.CX509enrollment and/or X509Enrollment.CX509CertificateRequestCertificate?
    • The scope of this script is to create a self-signed certificate. If you want to have different Issuer field, then it will not be self-signed. You need to create certificate request and use out of band process to sign it. You can use CertEnroll interfaces to create CSR.
      Check my blog post series where I discover common scenarios with CertEnroll:
  • I cant get it to work
    3 Posts | Last post November 26, 2015
    • I've dot-sourced the script but runs into to this error
      % : CertEnroll::CObjectId::InitializeFromValue: Wrong parameter. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
      At C:\powershell\security - self signed\New-SelfSignedCertificateEx\New SelfSignedCertificateE
      x.ps1:243 char:23
      +         $EnhancedKeyUsage | %{
      +                             ~~
          + CategoryInfo          : OperationStopped: (:) [ForEach-Object], ArgumentException
          + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ForEachObjectCommand
      Im running this command:
      New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter (get-date).AddYears(25)
      In the example there is a weird character which i've ommitted. Is that correct? the character: `
      My version
      PS C:\powershell\security - self signed\New-SelfSignedCertificateEx> $PSVersionTable
      Name                           Value
      ----                           -----
      PSVersion                      5.0.10240.16384
      WSManStackVersion              3.0
      CLRVersion                     4.0.30319.42000
      BuildVersion                   10.0.10240.16384
      PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
      PSRemotingProtocolVersion      2.3
      Hope I can get it to work
      Great initiative btw
    • I got same error. I run the function on Windows 10 Japanease UI locale.
      So, X509Enrollment.CObjectID's InitializeFromValue methods accept OID value or "localized" EKU friendly name. This class use in EKU settings.
      "Code Signing" is English EKU Friendly Name, it accepts only when your UI locale is "en-*"
      To avoid this error, specify the EKU OID, instead friendly name.
      New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "" -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter (get-date).AddYears(25)
      following is EKU friendly name / OID table.
      FriendlyName	OID
      Server Authentication
      Client Authentication
      Code Signing
      Secure Email
      IP security end system
      IP security tunnel termination
      IP security user
      Time Stamping
      OCSP Signing
      OCSP No Revocation Checking
      IP security IKE intermediate
      Microsoft Trust List Signing
      Microsoft Time Stamping
      SHIROYAMA Takayuki.
    • Bzcktick (`) character is necessary. This character specifies that the command line is continued in the next console line.
  • Error executing CreatePFX
    2 Posts | Last post September 01, 2015
    • Hi, 
      I tried to run the script but I got back this error
      New-SelfsignedCertificateEx : Exception calling "CreatePFX" with "3" argument(s): "CertEnroll::CX509Enrollment::CreateP
      FX: Key not valid for use in specified state. 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)"
      At line:1 char:1
      + New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing"  ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificateEx], MethodInvocationException
          + FullyQualifiedErrorId : ComMethodTargetInvocation,New-SelfSignedCertificateEx
      here my invocation
      PS D:\Software\Tools> . .\New-SelfSignedCertificateEx.ps1
      PS D:\Software\Tools> New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Signatu
      e" -KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter (get-date).AddYears(5) -Path D:\TEMP\cert\s
      Do you know what cuold be wrong?
    • it is because you attempt to export certificate with private key to PFX file. This operation requires exportable private key. You need to add a '-Exportable' switch-parameter to your command call.
  • Getting this error
    2 Posts | Last post August 07, 2015
    • Be8
      Thanks for this!  It appears to be exactly what I need - once I can work through the below error that is...
      New-SelfsignedCertificateEx : Exception calling "InitializeFromValue" with "1" argument(s): "CertEnroll::CObjectId::InitializeFromValue: The parameter is incorrect. 0x80070057 (WIN32: 87)"
      At line:1 char:1
      + New-SelfsignedCertificateEx -Subject "" -EKU "Ser ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificateEx], MethodInvocationException
          + FullyQualifiedErrorId : ComMethodTargetInvocation,New-SelfSignedCertificateEx
      And here is my submitted command (with execution policy set to unrestricted and using an elevated PS ISE session:
      New-SelfsignedCertificateEx -Subject "" -EKU "Server Authentication", "Client authentication" ` 
      -KeyUsage "KeyEncipherment, DigitalSignature" -SAN "" ` 
      -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storage Provider" -AlgorithmName ecdh_256 ` 
      -KeyLength 256 -SignatureAlgorithm sha256
    • I tried your example and it works as expected for me. Check OIDs passed to EKU parameter. Maybe you missed some character or mistyped it.
41 - 50 of 60 Items