Post

Generate a Self-Signed Digital Certificate Powershell

  1. ✅ Self Signed SSL Certificate
  2. ✅ SSL Certificates from Trusted CA

To create an SSL/TLS certificate, a global (CA - Certificate Authority) such as GoDaddy, GlobalSign, GlobalSign, etc. is usually consulted. However, in development and testing environments, you can use a certificate called "Self-Signed Certificate". However, browsers do not trust these certificates even though the connection is encrypted, it is normal to receive warnings that the connection is not secure. You can overcome this problem by adding it to the trusted certificates in your browser.

A "self-signed certificate" is a certificate that is signed by the owner of a security certificate (such as an SSL/TLS certificate) and is not approved by a third-party certificate authority (CA - Certificate Authority).

Public Certificate Authorities are third-party organizations that are generally recognized by browsers and operating systems, verify their trustworthiness, and manage the process of providing users with a secure connection by signing certificates.

GoDaddy
Let's Encrypt
VeriSign (Symantec)
DigiCert
GlobalSign
Comodo (Sectigo)
.etc

Generate Basic Self-Signed Certificate:

New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "*.guler.com"

**Creating one certificate with Subject Alternative Name: [SAN]
New-SelfSignedCertificate -DnsName "*.guler.com", "*.itteam.org" -CertStoreLocation "cert:\LocalMachine\My"

#Verify:
Get-ChildItem -Path Cert:\LocalMachine\My

#Get Certificate Expire Date:
Get-ChildItem -path Cert:\LocalMachine\My | select FriendlyName, NotAfter, DNSNamelist

In PowerShell, "Get-Command -Module PKI" lists all the cmdlets available in the PKI (Public Key Infrastructure) module. This module provides tools for working with digital certificates and certificate stores.

Some of the most important parameters of the New-SelfSignedCertificate cmdlet:

ParameterDescrIptIonExample
-DnsNameSpecifies the DNS names the certificate will be valid for.New-SelfSignedCertificate -DnsName "guler.com"
-CertStoreLocationSpecifies the certificate store location.New-SelfSignedCertificate -DnsName "guler.com" -CertStoreLocation "Cert:\LocalMachine\My"
-KeyLengthSpecifies the length of the key in bits.New-SelfSignedCertificate -DnsName "guler.com" -KeyLength 2048
-SubjectSpecifies the subject name (CN) of the certificate.New-SelfSignedCertificate -DnsName "guler.com" -Subject "CN=guler.com"
-NotBeforeSpecifies the start date and time of the certificate’s validity period.New-SelfSignedCertificate -DnsName "guler.com" -NotBefore (Get-Date).AddDays(-1)
-NotAfterSpecifies the end date and time of the certificate’s validity period.New-SelfSignedCertificate -DnsName "guler.com" -NotAfter (Get-Date).AddYears(2)
-FriendlyNameSpecifies a friendly name for the certificate.New-SelfSignedCertificate -DnsName "guler.com" -FriendlyName "Guler Wildcard Certificate"
-KeyAlgorithmSpecifies the key algorithm to use.New-SelfSignedCertificate -DnsName "guler.com" -KeyAlgorithm RSA
-HashAlgorithmSpecifies the hash algorithm to use.New-SelfSignedCertificate -DnsName "guler.com" -HashAlgorithm SHA256

Generate Advanced Self-Signed Certificate:

New-SelfSignedCertificate `
-CertStoreLocation Cert:\LocalMachine\My `
-DnsName "*.guler.com", "guler.com" `
-FriendlyName "Guler Wildcard Certificate" `
-Subject "CN=*.guler.com, O=GTech, OU=IT, L=OP, S=IST, C=TR, [email protected]" `
-NotBefore (Get-Date) `
-NotAfter (Get-Date).AddYears(2) `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-KeyUsage DigitalSignature, KeyEncipherment, KeyAgreement `
-KeyExportPolicy Exportable `
-HashAlgorithm "SHA256" `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-Type SSLServerAuthentication

**This script creates a self-signed certificate for the DNS name “*.guler.com” and installs it in the local machine’s personal certificate store. [Cert:\LocalMachine\My]

Export to Dir:

#Export the certificate with its private key as a PFX:
Get-ChildItem -Path Cert:\LocalMachine\My # *Thumbprint

Export-PfxCertificate -Cert Cert:\LocalMachine\My\[Thumbprint] -FilePath C:\example.pfx -Password (ConvertTo-SecureString -String "pass123" -Force -AsPlainText)

#Export all certificates under cert:\LocalMachine\my store: [SST]
Get-ChildItem -Path cert:\LocalMachine\my | Export-Certificate -FilePath c:\allcerts.sst

#Export all certificate without its private key as a CER:

New-Item -ItemType Directory -Path "C:\CertExports" -Force | Out-Null
$certs = Get-ChildItem -Path cert:\LocalMachine\My
foreach ($cert in $certs) {
Export-Certificate -Cert $cert -FilePath "C:\CertExports\$($cert.Thumbprint).cer"
}

#Import the Certificate to Trusted Root CAs.

#Import pfx file:
Import-PfxCertificate -FilePath C:\example.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password (ConvertTo-SecureString -String "pass123" -AsPlainText -Force)

#Import cert file:
Import-Certificate -FilePath "C:\guler.cer" -CertStoreLocation cert:\LocalMachine\Root

✨You can now sign scripts with your certificate, convert them to the format you want and use them in other web services (Apache, Nginx, etc.).

#Delete Self-Signed Certificate:

#Remove-Item -Path Cert:\CurrentUser\My\[Thumbprint] -DeleteKey
#Remove-Item Cert:\LocalMachine\My\[THUMBPRINT] -Force

Error resolution is considered successful if you can put the pieces of the puzzle together. 💖❤︎

This post is licensed under CC BY 4.0 by the author.