PPowerShell English

Creating self-signed certificate via PowerShell

Self-signed certificate via PowerShell
0
Shares
0
0
0

Creating a Self-Signed Certificate via PowerShell

Creating a self-signed certificate via PowerShell is easy and useful for test environments or internal applications. Below is a step-by-step guide on how to do this and the advantages it offers.

Step 1: Open PowerShell

Start PowerShell as an administrator to create a self-signed certificate. This is important, as you may not have the proper permissions to create certificates otherwise.

Step 2: Use the New-SelfSignedCertificate cmdlet

Run the following command to create a self-signed certificate:

$cert = New-SelfSignedCertificate -DnsName "your.domain.com" -CertStoreLocation "Cert:\LocalMachine\My"

This command creates a self-signed certificate for “your.domain.com” and stores it in the local machine’s certificate store.

Step 3: Export the certificate (optional)

If you want to export the certificate, use the following commands:

$pwd = ConvertTo-SecureString -String "yourPassword" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "C:\path\to\certificate.pfx" -Password $pwd

This exports the certificate to a PFX file, secured with a password.

Benefits of Creating Self-Signed Certificates via PowerShell

  1. Cost-saving: Self-signed certificates are free, unlike certificates from commercial Certificate Authorities (CAs).
  2. Easy to create: As described above, you can quickly create a certificate with just a few simple PowerShell commands.
  3. Ideal for testing: For development and test environments, self-signed certificates are perfect as they are free and quick to generate.
  4. Internal use: For internal applications within an organization where communication doesn’t leave the network, self-signed certificates can be sufficient.

Drawbacks of Self-Signed Certificates

  1. Scalability issues: In large infrastructures, self-signed certificates can cause problems, especially when updating root certificates across multiple systems.
  2. Limited trustworthiness: Self-signed certificates are not validated by a trusted third party, such as a Certificate Authority. As a result, browsers, operating systems, and other software don’t automatically trust them.
  3. Browser warnings: Modern browsers display warnings when encountering a self-signed certificate. This may discourage users and reduce trust in your site or application.
  4. No revocation options: Self-signed certificates cannot be revoked. If a certificate is compromised, you can’t invalidate it, which poses a security risk.
  5. Security risks: Without validation by a CA, self-signed certificates don’t offer the same level of security and may serve as potential entry points for attackers.
  6. Manual configuration: Using self-signed certificates often requires manual setup and management. This can be error-prone and may lead to the use of weak cryptographic standards.

While self-signed certificates are not suitable for production environments where security and trust are critical, they do offer a quick and cost-effective solution for internal and testing purposes. Using PowerShell, you can create these certificates easily and efficiently, which can help speed up your development process.

Example Script

# Define variables including the account to manage the private key
$FriendlyName = "Friendly name"
$DNS = "domain.com"
$TEMP = "$env:TEMP"
$CertStorePersonal = "Cert:\LocalMachine\My"
$CertStoreTrusted = "Cert:\LocalMachine\Root"
$Credential = Get-Credential
$Password = $Credential.Password
$UserName = $Credential.UserName

# Create self-signed certificate
$cert = New-SelfSignedCertificate -KeyUsage KeyAgreement -KeyExportPolicy Exportable -KeyDescription $FriendlyName `
-KeyFriendlyName $FriendlyName -FriendlyName $FriendlyName -Subject $DNS -DnsName $DNS -CertStoreLocation `
$CertStorePersonal

# Export PFX to import into Trusted Root Store
Export-PfxCertificate -Cert $cert -FilePath "$TEMP\$FriendlyName.pfx" -Password $Password
Import-PfxCertificate -Password $Password -CertStoreLocation $CertStoreTrusted -FilePath "$TEMP\$FriendlyName.pfx"

# Add ACL to the private key
$SSLCert = Get-ChildItem $CertStorePersonal | Where-Object { $_.Thumbprint -eq $thumbprint } 
$privKey = ([System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Cert)).key.UniqueName
$keyPath = "$($env:ProgramData)\Microsoft\Crypto\Keys\"
$privKeyPath = (Get-Item "$keyPath\$privKey")
$Acl = Get-Acl $privKeyPath
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($UserName, "Read", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $privKeyPath.FullName $Acl

# Remove the self-signed certificate (same method for deletion)
Get-ChildItem $CertStorePersonal | Where-Object {$_.FriendlyName -match $FriendlyName} | Remove-Item
Get-ChildItem $CertStoreTrusted | Where-Object {$_.FriendlyName -match $FriendlyName} | Remove-Item

You can find more information about PowerShell here. More information about the author of this blog post can be found here.

0 Shares:
Share 0
Tweet 0

— Previous article

Configuring the service account

Next article —

Overview Exchange Server

You May Also Like