Menu
I want to test SSL connections in an development environment with IIS. For this i need to crate a self-signed root certificate that gets installed in the machine store, and also another certificate that gets signed with the root certificate to install in IIS.
Doing it with makecert is deprecated now, so I am wondering how to do it with Powershell and the New-SelfSignedCertificate command.
Bonus points if you get the key usage settings right :-)
Note: using the self-signed certificated directly in IIS does not work, since the browser and WCF considers them invalid.
for reference, here is how to do it with makecert:
# create the self signed root certificate
makecert -n "CN=root.lan" -r -sv root.pvk root.cer
# create the certificate for IIS that gets signed with the root certificate
makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe
# convert to other formats
cert2spc localhost.cer localhost.spc
pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx
231
The new version of New-SelfSignedCertificate, which included on Windows 10, is described here. One can use New-SelfSignedCertificate -? and get-help New-SelfSignedCertificate -examples to get some additional information.
The documentation and the examples could seems still not clear enough for creating two certificates:
The implementation could be the following (I wrote below the option in multiple lines only to make the text more readable):
New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096
-Subject "CN=My Test (PowerShell) Root Authority,O=OK soft GmbH,C=DE"
-KeyUsage DigitalSignature,CertSign -NotAfter (get-date).AddYears(10)
-CertStoreLocation "Cert:\CurrentUser\My" -Type Custom
the output will look like
Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
B7DE93CB88E99B01D166A986F7BF2D82A0E541FF CN=My Test (PowerShell) Root Authority, O=OK soft GmbH, C=DE
The value B7DE93CB88E99B01D166A986F7BF2D82A0E541FF is important for usage the certificate for signing. If you forget the value you can find it by CN name
dir cert:\CurrentUser\My | where Subject -Like "CN=My Test (PowerShell)*"
or by usage certutil.exe -user -store My to display certificates on My store of the current user.
To create SSL certificate and to sign it with respect of previously created certificate one can do for example the following
New-SelfSignedCertificate -Type Custom -Subject "CN=ok01.no-ip.org"
-HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048
-KeyUsage KeyEncipherment,DigitalSignature
-CertStoreLocation "cert:\LocalMachine\My"
-Signer cert:\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.17={text}DNS=ok01.no-ip.org&DNS=ok01.fritz.box")
It seems to me that the final certificate will have all properties required. It's clear that the values from many from above parameters contains examples only any you have to modify there based on your requirements. I don't describe here some other common steps like importing root certificate in Trusted Root, exporting the certificates and so on. The steps are not the psrt of your main question.
169
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
