Generate a Self-Signed Digital Certificate Powershell
- ✅ Self Signed SSL Certificate
- ✅ SSL Certificates from Trusted CA
To create an SSL/TLS certificate, a global (CA - Certificate Authority) such as GoDaddy, GlobalSign, GlobalSign, etc. is usually consulted. However, in development and testing environments, you can use a certificate called "Self-Signed Certificate". However, browsers do not trust these certificates even though the connection is encrypted, it is normal to receive warnings that the connection is not secure. You can overcome this problem by adding it to the trusted certificates in your browser.
A "self-signed certificate" is a certificate that is signed by the owner of a security certificate (such as an SSL/TLS certificate) and is not approved by a third-party certificate authority (CA - Certificate Authority).
Public Certificate Authorities are third-party organizations that are generally recognized by browsers and operating systems, verify their trustworthiness, and manage the process of providing users with a secure connection by signing certificates.
GoDaddy
Let's Encrypt
VeriSign (Symantec)
DigiCert
GlobalSign
Comodo (Sectigo)
.etc
Generate Basic Self-Signed Certificate:
New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "*.guler.com"
**Creating one certificate with Subject Alternative Name: [SAN]
New-SelfSignedCertificate -DnsName "*.guler.com", "*.itteam.org" -CertStoreLocation "cert:\LocalMachine\My"
#Verify:
Get-ChildItem -Path Cert:\LocalMachine\My
#Get Certificate Expire Date:
Get-ChildItem -path Cert:\LocalMachine\My | select FriendlyName, NotAfter, DNSNamelist
In PowerShell, "Get-Command -Module PKI" lists all the cmdlets available in the PKI (Public Key Infrastructure) module. This module provides tools for working with digital certificates and certificate stores.
Some of the most important parameters of the New-SelfSignedCertificate cmdlet:
Parameter | DescrIptIon | Example |
---|---|---|
-DnsName | Specifies the DNS names the certificate will be valid for. | New-SelfSignedCertificate -DnsName "guler.com" |
-CertStoreLocation | Specifies the certificate store location. | New-SelfSignedCertificate -DnsName " |
-KeyLength | Specifies the length of the key in bits. | New-SelfSignedCertificate -DnsName " |
-Subject | Specifies the subject name (CN) of the certificate. | New-SelfSignedCertificate -DnsName " |
-NotBefore | Specifies the start date and time of the certificate’s validity period. | New-SelfSignedCertificate -DnsName " |
-NotAfter | Specifies the end date and time of the certificate’s validity period. | New-SelfSignedCertificate -DnsName " |
-FriendlyName | Specifies a friendly name for the certificate. | New-SelfSignedCertificate -DnsName " |
-KeyAlgorithm | Specifies the key algorithm to use. | New-SelfSignedCertificate -DnsName "guler.com" -KeyAlgorithm RSA |
-HashAlgorithm | Specifies the hash algorithm to use. | New-SelfSignedCertificate -DnsName "guler.com" -HashAlgorithm SHA256 |
Generate Advanced Self-Signed Certificate:
New-SelfSignedCertificate `
-CertStoreLocation Cert:\LocalMachine\My `
-DnsName "*.guler.com", "guler.com" `
-FriendlyName "Guler Wildcard Certificate" `
-Subject "CN=*.guler.com, O=GTech, OU=IT, L=OP, S=IST, C=TR, [email protected]" `
-NotBefore (Get-Date) `
-NotAfter (Get-Date).AddYears(2) `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-KeyUsage DigitalSignature, KeyEncipherment, KeyAgreement `
-KeyExportPolicy Exportable `
-HashAlgorithm "SHA256" `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-Type SSLServerAuthentication
**This script creates a self-signed certificate for the DNS name “*.guler.com” and installs it in the local machine’s personal certificate store. [Cert:\LocalMachine\My]
Export to Dir:
#Export the certificate with its private key as a PFX:
Get-ChildItem -Path Cert:\LocalMachine\My # *Thumbprint
Export-PfxCertificate -Cert Cert:\LocalMachine\My\[Thumbprint] -FilePath C:\example.pfx -Password (ConvertTo-SecureString -String "pass123" -Force -AsPlainText)
#Export all certificates under cert:\LocalMachine\my store: [SST]
Get-ChildItem -Path cert:\LocalMachine\my | Export-Certificate -FilePath c:\allcerts.sst
#Export all certificate without its private key as a CER:
New-Item -ItemType Directory -Path "C:\CertExports" -Force | Out-Null
$certs = Get-ChildItem -Path cert:\LocalMachine\My
foreach ($cert in $certs) {
Export-Certificate -Cert $cert -FilePath "C:\CertExports\$($cert.Thumbprint).cer"
}
#Import the Certificate to Trusted Root CAs.
#Import pfx file:
Import-PfxCertificate -FilePath C:\example.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password (ConvertTo-SecureString -String "pass123" -AsPlainText -Force)
#Import cert file:
Import-Certificate -FilePath "C:\guler.cer" -CertStoreLocation cert:\LocalMachine\Root
✨You can now sign scripts with your certificate, convert them to the format you want and use them in other web services (Apache, Nginx, etc.).
#Delete Self-Signed Certificate:
#Remove-Item -Path Cert:\CurrentUser\My\[Thumbprint] -DeleteKey
#Remove-Item Cert:\LocalMachine\My\[THUMBPRINT] -Force
Error resolution is considered successful if you can put the pieces of the puzzle together. 💖❤︎