Need Self-Signed Certificate Win2012 r2 SHA256 4-year expiration

Question

I've been trying to figure out how to do this much of this afternoon, so it's very possible I'm missing something simple.

I need to create a self-signed certificate on Windows Server 2012 R2 that is SHA256, 2048 bit, and doesn't expire for four years.

From my searching I see that PowerShell (PS) is the way to go, and see a reasonable number of examples - none of which have everything I need.

For example I tried searching for the PS command New-SelfSignedCertificate and adding the "-NotAfter" option, but I get the error message "A parameter cannot be found that matches parameter name 'NotAfter'."

Even though I see "[-NotAfter]" here: https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/new-selfsignedcertificate (and that article has a March 2017 update)

I've tried a couple PS scripts people wrote, those seem to work with a 1+ year date, but they all don't work with one of the above criteria and, in any event, don't show up in IIS 8.5 for me to bind them to a site (I'm creating on the server).

$psversiontable on the server gives "PSVersion" = 5.0.10586.117

Thanks in advance for the help!

Answer 1

New-SelfSignedCertificate (PKIClient module) cmdlet with advanced parameters is available starting from Windows Server 2016. The article you've mentioned applies to Server 2016 only.

In Windows 2012/2012 R2 you only have this thing: New-SelfSignedCertificate (PKI module). It is useless.

You can try to use CertReq utility instead, but it is not automation-friendly.