Does powershell has a tool to create not-selfsigned certificate?

Question

Theres a tool in powershell called New-SelfSignedCertificate that we can create selfsigned certificates for CA proposes. But i just cant figure out if its possible to create child certificates issued/signed by that certificate created before by this New-SelfSignedCertificate. Actually i can do that with makecert.exe, but i would like to script it in powershell.

For example, in makecert.exe, i execute these commands:

 1)Creating the CA cert:  **makecert.exe** -sk RootCA -sky signature -pe -n CN=ca.com -r -sr LocalMachine -ss Root RootCA

 2)Creating another cert for server signed by above CA: **makecert.exe** -sk server -sky exchange -pe -n CN=server.com -ir LocalMachine -is Root -ic RootCA -sr LocalMachine -ss My server.com

In powershell i just know to create a CA, using that command:

  New-SelfSignedCertificate -DnsName "ca.com" -CertStoreLocation cert:Localmachine/My

But, how to create another cert signed by that one above?

Other thing, when I try to put the -CertStoreLocation = cert:Localmachine/**Root** i get an error message saying that i can only create a certificate in MY store (i already executing as administrator)

Thanks.

Answer 1

I am so sorry to be late to the party, I'm well aware it's been two years since this question was asked.

However, to share with those who may find this entry when searching - there is now a way (documented on this excellent blog by David Christiansen)

In summary,

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "Your root CA name here"

Note down the thumbprint returned from this command.

Next, create a secure password and export the root CA into a file

PowerShell

$pwd = ConvertTo-SecureString -String "Please-Use-A-Really-Strong-Password" -Force -AsPlainText
Export-PfxCertificate -cert cert:\localMachine\my\[CA thumbprint]  -FilePath root-authority.pfx -Password $pwd
Export-Certificate -Cert cert:\localMachine\my\[CA thumbprint] -FilePath root-authority.crt

Note that the crt file does not need a password as it is the public component of the certificate.

Now load the signing certificate into memory and create a certificate signed by this cert, exporting it with a password.

$rootcert = ( Get-ChildItem -Path cert:\LocalMachine\My\[CA Thumbprint] )
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "Your DNS Name Here" -Signer $rootcert

Note down the thumbprint returned from the self-signed cert command to export it.

$pwd2 = ConvertTo-SecureString -String "Please-Use-A-Really-Strong-Password" -Force -AsPlainText
    Export-PfxCertificate -cert cert:\localMachine\my\[Cert Thumbprint]  -FilePath gateway-certificate.pfx -Password $pwd2
    Export-Certificate -Cert cert:\localMachine\my\[Cert Thumbprint] -FilePath gateway.crt

Answer 2

it seems cumbersome to note the hashes of the certificates manually. it's simpler to do it like this:

    # create root zertificate 
    $rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName "Root CA Name";

    # export root certificate 
    [System.Security.SecureString]$rootcertPassword = ConvertTo-SecureString -String "znft5yeL34pxCu3nATlt1gMazX0NM8FVvr9yZOhcS79yJm8kUVjhA17UuWkQOb0u" -Force -AsPlainText;
    [String]$rootCertPath = Join-Path -Path 'cert:\localMachine\my\' -ChildPath "$($rootcert.Thumbprint)";
    Export-PfxCertificate -Cert $rootCertPath -FilePath 'root-authority.pfx' -Password $rootcertPassword; # private key
    Export-Certificate    -Cert $rootCertPath -FilePath 'root-authority.crt';                             # public key

    # use root certificate to sign gateway certificate
    $gatewayCert = New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName "*.example.com","*.example.org" -Signer $rootCert;

    # export gateway certificate
    [System.Security.SecureString]$gatewayCertPassword = ConvertTo-SecureString -String "Xc8FlsHq8hmLnKXk4AaD8ug6HYH2dpSWLjwg9eNeDIK103d3akbd0OccgZZ6bL48" -Force -AsPlainText;
    [String]$gatewayCertPath = Join-Path -Path 'cert:\localMachine\my\' -ChildPath "$($gatewayCert.Thumbprint)";
    Export-PfxCertificate -Cert $gatewayCertPath -FilePath gateway-certificate.pfx -Password $gatewayCertPassword; # private key
    Export-Certificate    -Cert $gatewayCertPath -FilePath gateway.crt;                                            # public key

Also, for an prodution environment, you probably want to use ACMESharp to create free TLS certificates.