Self-signed certificate generator (PowerShell)

DescriptionThis script is an enhanced open-source PowerShell implementation of deprecated makecert.exe tool and utilizes the most modern certificate API — CertEnroll.

 
 
 
 
 
4.3 Star
(50)
65,041 times
Add to favorites
Security
9/11/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • SAN cert issued by self-signed CA
    2 Posts | Last post May 04, 2015
    • This looks like a great script. Is it possible to create a SAN certificate that is issued by an earlier generated self-signed CA cert?
    • No, this script generates only self-signed certificates for testing only purposes. It is not a replacement for CA functionality (e.g. signing other certs).
  • ProviderName parameter causing problems
    2 Posts | Last post April 28, 2015
    • Hello, thank you for this useful function.
      
      When I create certificate like this, it works fine:
      New-SelfsignedCertificateEx -Subject "CN=server" -EKU "Server Authentication", "Client authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -Exportable -StoreLocation "LocalMachine"
      
      But when I add the ProviderName parameter like this:
      New-SelfsignedCertificateEx -Subject "CN=server" -EKU "Server Authentication", "Client authentication" -KeyUsage "KeyEncipherment, DigitalSignature" -Exportable -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storage Provider"
      
      then it is not working. Here is the error:
      
      New-SelfsignedCertificateEx : Exception calling "Create" with "0" argument(s): "CertEnroll::CX509PrivateKey::Create:
      The parameter is incorrect. 0x80070057 (WIN32: 87)"
      At line:1 char:1
      + New-SelfsignedCertificateEx -Subject "CN=server" -EKU "Server Authentication", "C ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [New-SelfSignedCertificateEx], MethodInvocationException
          + FullyQualifiedErrorId : ComMethodTargetInvocation,New-SelfSignedCertificateEx
      
      
      I checked 'certutil -csplist' and "Microsoft Software Key Storage Provider" is in the list of my providers...
      
      Any help would be really appreciated, as I really need to create a certificate with this provider!
      
    • are you running this command in the elevated PowerShell console?
  • Store Name parameter
    4 Posts | Last post April 17, 2015
    • Hi,
      
      It looks like the store name parameter is not being used. Can this be updated to allow that?
      
      Also, is it possible to export the cert to a file as well as install it locally at the same time?
      
      Thanks,
    • you are right, store name is not used. I'm considering to completely remove this parameter. No, it cannot be used under any circumstance, thus there are no plans to implement it.
      
      yes, you can export certificate by using Export-PfxCertificate cmdlet from PKI module (Windows 8 and newer).
    • I'd suggest updating the documentation and samples to reflect the fact that the parameter can't be used.
    • Removed "StoreName" references.
  • I ran the first script sample but nothing happend.
    2 Posts | Last post January 14, 2015
    • PS C:\Users\Administrator> C:\Users\Administrator\Desktop\New-SelfSignedCertificateEx.ps1 -Subject "CN=Test Code Signing
      " -EKU "Code Signing" -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter $([datetime]::now.AddYears(5))
      PS C:\Users\Administrator>
      
      I ran the script above in a admin privilege powershell window, but after running it. there is nothing happened. no cert is created in my current user personal certificate store, no error prompt in powershell window. 
      
      Could you please give me some help? 
    • because you didn't load the function. You need to load the function by dot-sourcing it:
      . C:\Users\Administrator\Desktop\New-SelfSignedCertificateEx.ps1
      
      and then run New-SelfSignedCertificateEx function with parameters.
  • LegacyCsp option
    4 Posts | Last post January 12, 2015
    • Hi,
      First of all: nice work! This is a very handy script!
      I found this script by reading following thread: https://social.technet.microsoft.com/Forums/en-US/84de2a2d-9dff-4a69-849b-6fcc2f14361b/selfsigned-certificate-generation?forum=winserversecurity
      because I was also looking to generate a self-signed certificate that would be compatible with .Net functionality. 
      In search for the correct ProviderName I came across the interface of IX509PrivateKey, which provides a LegacyCsp boolean flag as well. (http://msdn.microsoft.com/en-us/library/windows/desktop/aa378921%28v=vs.85%29.aspx)
      This worked for me, so maybe you could expand the script with this extra parameter?
      
      Cheers!
    • I think that IX509PrivateKey interface takes care of this flag depending on a selected provider.
    • I found the LegacyCsp flag before I found a ProviderName that worked, so I stopped looking. Since ProviderName is a string, it would be interesting to provide a list with valid ProviderNames. The documentation only mentions the default "Microsoft Enhanced Cryptographic Provider v1.0" CSP. Thx!
    • you can run 'certutil -csplist' command to get a list of all available providers.
  • issue with NotAfter [datetime]::Now.AddYears(25)
    2 Posts | Last post December 09, 2014
    • TSO
      Hi, PS complained about the add years
      
      New-SelfSignedCertificateEx : Cannot process argument transformation on parameter 'NotAfter'. Cannot convert value
      "[datetime]::Now.AddYears" to type "System.DateTime". Error: "String was not recognized as a valid DateTime."
      At line:1 char:274
      + ... able -NotAfter [datetime]::Now.AddYears(25)
      +                    ~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidData: (:) [New-SelfSignedCertificateEx], ParameterBindingArgumentTransformationEx
         ception
          + FullyQualifiedErrorId : ParameterArgumentTransformationError,New-SelfSignedCertificateEx
      
      my workaround was -NotAfter (get-date).AddYears(25) 
    • it is a typo in the example. You can work around with $([datetime]::now.AddYears(25))
  • typo in second example
    1 Posts | Last post December 03, 2014
    • TSO
      FYI: ProviderName "Microsoft Software Key Storae Provider"
  • Опечатка в примерах 2 и 3
    1 Posts | Last post September 22, 2014
    • Отличный скрипт!
      В примерах 2 и 3 есть маленькая опечатка:
      KeyEcipherment -> KeyEncipherment
  • Can't get the script to work for me.
    2 Posts | Last post June 12, 2014
    • I am unable to generate a certificate with this. Running into the below error. Can you help?
      
      
      Method invocation failed because [System.Collections.Generic.Dictionary`2+KeyCollection[[System.String, mscorlib, Versi
      on=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=2.0.0.0, Culture=neutra
      l, PublicKeyToken=b77a5c561934e089]]] doesn't contain a method named 'Contains'.
      At E:\New-SelfSignedCertificateEx.ps1:266 char:38
      +     if ($PSBoundParameters.Keys.Contains <<<< ("IsCA")) {
          + CategoryInfo          : InvalidOperation: (Contains:String) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : MethodNotFound
    • Nevermind.... I took a bit to understand the below question and answer. Thanks!!
  • Powershell 3.0 required?
    3 Posts | Last post December 10, 2013
    • First off, great work. I'm liking it a lot. Don't want to be running the old stuff for self-signed certs. (I need to make a cert. for En/Decrypting SAML tokens between SLL servers.)
      I run this under 3.0 and it works. When I find myself on a server w/PS 2.0 I get the following:
      Contains : Method invocation failed because [System.Collections.Generic.Dictionary`2+KeyCollection[[System.String, msco
      rlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Object, mscorlib, Version=2.0.0.0, Cul
      ture=neutral, PublicKeyToken=b77a5c561934e089]]] doesn't contain a method named 'Contains'.
      At L:\MakeCert.ps1:266 char:38
      
      (I have edited and re-signed the script, so that line may be a little off.)
      Anyway, is there a work-around for 2.0, or are there too many 3.0 depends?
    • It is the only part from PowerShell 3.0. I completely forgot that this syntax is working starting with 3.0.
    • Yup, and sure enough: 
      $PSBoundParameters.ContainsKey("IsCA") 
      takes care of it in a 2.0 environment.
51 - 60 of 60 Items