This is a kind of technology that you probably don’t know about yet. New and exciting, it’s here to change the way we think about the future.
The “news” is a new website that offers breaking news, updates and more. The site has been around since the beginning of 2018.
Is an SSL certificate required for website construction or application testing? Why not produce your own self-signed certificate instead of purchasing pricey digital certificates from third-party providers? Don’t worry; PowerShell’s New-SelfSignedCertificate cmdlet has you covered.
Using numerous examples, you’ll learn how to produce fresh self-signed certificates with PowerShell in this article. You’ll have constructed self-signed certificates with various attributes and for various reasons by the end. Let’s get this party started!
Prerequisites
If you want to follow along with this lesson, make sure you meet the following criteria.
- A Windows machine running Windows PowerShell 5.1 or PowerShell 7 is required (v7.1.3 as of this writing). Windows 10 version 2004 and Windows PowerShell 5.1 will be used in this tutorial.
- On the local system, your user account must have administrator access.
- You will be utilizing an elevated PowerShell session (run as admin) throughout this tutorial, and it is assumed that you already have one open.
How to Run PowerShell as an Administrator is a related topic.
Making a Certificate With Just One Subject
The New-SelfSignedCertificate cmdlet comes in handy when you need to produce self-signed certificates in PowerShell. This cmdlet may be used to produce certificates for a variety of applications, including code signing, server authentication, and document encryption.
Related: [Tutorial] Managing Certificates with Windows Certificate Manager and PowerShell
The New-SelfSignedCertificate cmdlet only needs the Subject argument to produce a self-signed certificate with a single subject, such as a single website URL or a single server FQDN. Consider the topic as a distinctive label for the certificate that distinguishes it from others.
To generate a self-signed certificate for a website named LocalSite.com, execute the command below in PowerShell. For server authentication, this example will produce a certificate in the local machine’s personal certificate store. The URL of the website that a certificate will protect is often used as the subject name for web services.
All users on the local computer have access to the certificates in the local machine certificate store. The certificates in the current user certificate store, on the other hand, are only accessible to the current user.
# In the local machine personal certificate store, create a self-signed certificate and save the result in the $cert variable. $cert = New-SelfSignedCertificate -Subject localsite.com; $cert = New-SelfSignedCertificate -Subject localsite.com; $cert = New # The updated certificate characteristics will be shown. $cert | Format-List -Property * $cert | Format-List -Property * $cert | Format-List
Add the -Certstorelocation Cert:CurrentUserMy argument to generate a new certificate in the current user’s personal certificate store (Cert:CurrentUserMy), or use Cert:LocalMachineRoot to produce a new certificate in the trusted root certification authority store.
The intended outcome after generating the certificate and showing all of its characteristics is shown in the image below. The CN= prefix is automatically added to the subject name by the selfsignedcertificate cmdlet.
Self-signing a certificate with a single subject name
Creating a SAN Certificate (Subject Alternative Name)
You’ve made a certificate with a single topic name, which is useful if you’re just going to use it on one website. What if you have a number of websites, such as localsite.com, content.localsite.com, and apps.localsite.com?
You may produce a single certificate with several topic alternate names instead of generating a self-signed certificate for each website (SAN). A SAN certificate is the name for this sort of certificate.
Run New-SelfSignedCertificate using the DnsName option to produce a SAN certificate. One or more subject names that you wish to include in the certificate are accepted via the DnsName argument.
When the DnsName argument has several values, the first string in the DnsName parameter is used as the certificate’s main subject name. Alternative names will be used in place of the original ones. The usability and functionality of the certificate are unaffected by the main topic name.
Run the command below in PowerShell to produce the SAN certificate for localsite.com, content.localsite.com, and apps.localsite.com, for example.
# In the local machine personal certificate store, create a self-signed SAN certificate and save the result in the $cert variable. $cert = New-SelfSignedCertificate -DnsName localsite.com,content.localsite.com,apps.localsite.com $cert = New-SelfSignedCertificate -DnsName localsite.com,content.localsite.com,apps.localsite.com # The updated certificate characteristics will be shown. $cert | Format-List -Property * $cert | Format-List -Property * $cert | Format-List
As you can see in the DnsNameList attribute, the cmdlet produced a new certificate with various subject names.
Creating a SAN certificate that is self-signed
Making A Certificate That Has A Specific Validation Period
Self-signed certificates are good for one year by default, which may be sufficient for most use cases. When establishing a self-signed certificate, however, you may use the NotBefore and NotAfter arguments to set a certain validity period.
Run the command below in PowerShell to produce a self-signed certificate that is valid NotBefore today and NotAfter 24 months.
# Create a self-signed certificate valid for 24 months in the local machine personal certificate store and save the result to the $cert variable. $cert = New-SelfSignedCertificate -DnsName localsite.com $cert = New-SelfSignedCertificate -DnsName localsite.com -NotBefore (Get-Date). AddMonths(24)
Run the command below to show the certificate’s chosen attributes, including the commencement and expiry dates, to confirm the new certificate.
$cert | Select-Object -Property Subject,Thumbprint,NotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNot Before,NotAfter
As you can see, you now have a self-signed certificate with a 24-month validity period.
Obtaining the validity term of a self-signed certificate
Cloning a Self-Signed Certificate that already exists
Consider the situation when your self-signed certificate is going to expire. If you still need the certificate, it is rational to renew it. However, there is no straightforward method to renew the certificate. So, what exactly do you do? Either start again with a fresh self-signed certificate or clone an existing one.
The attributes of the previous certificate are inherited by the new certificate, with the exception of the public key, thumbprint, serial number, and expiry date. As a result, replicating the previous certificate is the more expedient choice.
Add the CloneCert argument to the New-SelfSignedCertificate command to clone a certificate. Follow the steps below to get started:
1. Locate the certificate you wish to clone first. To do so, use the Get-ChildItem command to get a list of the certificate store’s existing certificates. PowerShell searches the local machine’s certificate store for any certificates with a subject ending in the string localsite.com and returns a few certificate properties in the excerpt below.
# Get a list of all certificates with the subject localsite.com. Cert: Get-ChildItem: Get-ChildItem: Get-ChildItem: Where-Object
Is an SSL certificate required for website construction or application testing? Why not produce your own self-signed certificate instead of purchasing pricey digital certificates from third-party providers? Don’t worry; PowerShell’s New-SelfSignedCertificate cmdlet has you covered.
Using numerous examples, you’ll learn how to produce fresh self-signed certificates with PowerShell in this article. You’ll have constructed self-signed certificates with various attributes and for various reasons by the end. Let’s get this party started!
Prerequisites
If you want to follow along with this lesson, make sure you meet the following criteria.
- A Windows machine running Windows PowerShell 5.1 or PowerShell 7 is required (v7.1.3 as of this writing). Windows 10 version 2004 and Windows PowerShell 5.1 will be used in this tutorial.
- On the local system, your user account must have administrator access.
- You will be utilizing an elevated PowerShell session (run as admin) throughout this tutorial, and it is assumed that you already have one open.
How to Run PowerShell as an Administrator is a related topic.
Making a Certificate With Just One Subject
The New-SelfSignedCertificate cmdlet comes in handy when you need to produce self-signed certificates in PowerShell. This cmdlet may be used to produce certificates for a variety of applications, including code signing, server authentication, and document encryption.
Related: [Tutorial] Managing Certificates with Windows Certificate Manager and PowerShell
The New-SelfSignedCertificate cmdlet only needs the Subject argument to produce a self-signed certificate with a single subject, such as a single website URL or a single server FQDN. Consider the topic as a distinctive label for the certificate that distinguishes it from others.
To generate a self-signed certificate for a website named LocalSite.com, execute the command below in PowerShell. For server authentication, this example will produce a certificate in the local machine’s personal certificate store. The URL of the website that a certificate will protect is often used as the subject name for web services.
All users on the local computer have access to the certificates in the local machine certificate store. The certificates in the current user certificate store, on the other hand, are only accessible to the current user.
# In the local machine personal certificate store, create a self-signed certificate and save the result in the $cert variable. $cert = New-SelfSignedCertificate -Subject localsite.com; $cert = New-SelfSignedCertificate -Subject localsite.com; $cert = New # The updated certificate characteristics will be shown. $cert | Format-List -Property * $cert | Format-List -Property * $cert | Format-List
Add the -Certstorelocation Cert:CurrentUserMy argument to generate a new certificate in the current user’s personal certificate store (Cert:CurrentUserMy), or use Cert:LocalMachineRoot to produce a new certificate in the trusted root certification authority store.
The intended outcome after generating the certificate and showing all of its characteristics is shown in the image below. The CN= prefix is automatically added to the subject name by the selfsignedcertificate cmdlet.
Self-signing a certificate with a single subject name
Creating a SAN Certificate (Subject Alternative Name)
You’ve made a certificate with a single topic name, which is useful if you’re just going to use it on one website. What if you have a number of websites, such as localsite.com, content.localsite.com, and apps.localsite.com?
You may produce a single certificate with several topic alternate names instead of generating a self-signed certificate for each website (SAN). A SAN certificate is the name for this sort of certificate.
Run New-SelfSignedCertificate using the DnsName option to produce a SAN certificate. One or more subject names that you wish to include in the certificate are accepted via the DnsName argument.
When the DnsName argument has several values, the first string in the DnsName parameter is used as the certificate’s main subject name. Alternative names will be used in place of the original ones. The usability and functionality of the certificate are unaffected by the main topic name.
Run the command below in PowerShell to produce the SAN certificate for localsite.com, content.localsite.com, and apps.localsite.com, for example.
# In the local machine personal certificate store, create a self-signed SAN certificate and save the result in the $cert variable. $cert = New-SelfSignedCertificate -DnsName localsite.com,content.localsite.com,apps.localsite.com $cert = New-SelfSignedCertificate -DnsName localsite.com,content.localsite.com,apps.localsite.com # The updated certificate characteristics will be shown. $cert | Format-List -Property * $cert | Format-List -Property * $cert | Format-List
As you can see in the DnsNameList attribute, the cmdlet produced a new certificate with various subject names.
Creating a SAN certificate that is self-signed
Making A Certificate That Has A Specific Validation Period
Self-signed certificates are good for one year by default, which may be sufficient for most use cases. When establishing a self-signed certificate, however, you may use the NotBefore and NotAfter arguments to set a certain validity period.
Run the command below in PowerShell to produce a self-signed certificate that is valid NotBefore today and NotAfter 24 months.
# Create a self-signed certificate valid for 24 months in the local machine personal certificate store and save the result to the $cert variable. $cert = New-SelfSignedCertificate -DnsName localsite.com $cert = New-SelfSignedCertificate -DnsName localsite.com -NotBefore (Get-Date). AddMonths(24)
Run the command below to show the certificate’s chosen attributes, including the commencement and expiry dates, to confirm the new certificate.
$cert | Select-Object -Property Subject,Thumbprint,NotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNotNot Before,NotAfter
As you can see, you now have a self-signed certificate with a 24-month validity period.
Obtaining the validity term of a self-signed certificate
Cloning a Self-Signed Certificate that already exists
Consider the situation when your self-signed certificate is going to expire. If you still need the certificate, it is rational to renew it. However, there is no straightforward method to renew the certificate. So, what exactly do you do? Either start again with a fresh self-signed certificate or clone an existing one.
The attributes of the previous certificate are inherited by the new certificate, with the exception of the public key, thumbprint, serial number, and expiry date. As a result, replicating the previous certificate is the more expedient choice.
Add the CloneCert argument to the New-SelfSignedCertificate command to clone a certificate. Follow the steps below to get started:
1. Locate the certificate you wish to clone first. To do so, use the Get-ChildItem command to get a list of the certificate store’s existing certificates. PowerShell searches the local machine’s certificate store for any certificates with a subject ending in the string localsite.com and returns a few certificate properties in the excerpt below.
# Get all certificates whose Subject name is like localsite.com. Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Subject -like “*localsite.com”} | Select-Object Subject,DnsNameList,Thumbprint,NotBefore,NotAfter
As you can see in the example below, there may be many certificates that match the subject name you’re looking for. In such instance, go through the list of certificates to see which one you want to clone. After you’ve made your decision, make a duplicate of the thumbprint on the certificate.
Obtaining a list of current certifications
2. Run the command below to get the old certificate once you’ve identified the certificate to clone and copied its thumbprint. Make sure you use the thumbprint you copied in the previous step as the Thumbprint value.
# Retrieve the certificate and save it to the $certToClone variable. Get-Item Cert:LocalMachineMy $certToClone = Get-Item Cert:LocalMachineMy $certToClone = Get-Item Cert:
3. Run New-SelfSignedCertificate with the CloneCert argument to produce a new certificate by copying the old.
# Create a self-signed certificate that is copied $certToClone = New-SelfSignedCertificate -CloneCert $cert = New-SelfSignedCertificate -CloneCert
The new certificate will have the same validity time as the old certificate if the NotBefore and NotAfter parameters are not specified (i.e., two years). The current date and time minus ten minutes will be used as the NotBefore value.
Run the same procedure but add the NotAfter option to give the new certificate a different validity term. For example, use the command below to make the certificate valid for four years.
# Generate a four-year cloned self-signed certificate $cert = New-SelfSignedCertificate -CloneCert $certToClone -NotAfter; $cert = New-SelfSignedCertificate -CloneCert $certToClone; $cert = New-SelfS (Get-Date). AddYears(4)
4. Finally, check the new certificate you’ve produced using the command below.
# Show the attributes of the copied certificate $cert | Select-Object Subject,DnsNameList,Thumbprint,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not, Before,NotAfter
You’ve now cloned the self-signed certificate with the same topic and alternate names as the original, as seen below. The fingerprint, beginning date, and ending date are all new.
Viewing the attributes of a self-signed certificate clone
Creating a Certificate for Code Signing
You must sign your scripts using a code-signing certificate to verify that they have a digital signature. Code-signing certificates may be be created using the New-SelfSignedCertificate cmdlet.
How to Sign a PowerShell Script is a related topic (And Run It)
Run the New-SelfSignedCertificate command in PowerShell to produce a self-signed code-signing certificate. The Type argument indicates that a CodeSigningCert certificate type should be created. For a period of 24 months, the certificate will be valid. With the NotAfter argument, specifying a specified validity period is optional.
# Create a self-signed code signing certificate with a 24-month validity period. $cert = New-SelfSignedCertificate -Subject CodeSigningCert -NotAfter $cert = New-SelfSignedCertificate -Subject CodeSigningCert -NotAfter (Get-Date). -Type CodeSigningCert -AddMonths(24)
Run the command below after creating the code-signing certificate to ensure that the EnhancedKeyUsageList value indicates that the certificate’s valid key use is Code Signing.
Select-Object Subject,EnhancedKeyUsageList | $cert
Verifying the validity of the certificate for code signing
Creating a Certificate for Document Encryption
When you have papers or emails that you want to keep safe from prying eyes, encryption is one technique to do it. But first, you’ll need a document encryption certificate, which you can produce using the New-SelfSignedCertificate cmdlet.
The New-SelfSignedCertificate cmdlet needs a specified set of KeyUsage parameters to build a document encryption certificate. These are the values:
- DataEncryption – The certificate may be used to encrypt data.
- Encryption of secret/private keys will be possible with the certificate.
- KeyAgreement — The certificate will be valid for generating cryptographic keys in Elliptic Curve Cryptography, for example.
DocumentEncryptionCert must also be the Type parameter value.
To generate a self-signed certificate for document encryption, use the command below. For a period of two years, the certificate will be valid. The code below utilizes splatting to specify the argument values to make the command more understandable.
Because encrypting material is usually done for personal use, the document encryption certificate should be created in the current user’s personal certificate store. This limits the certificate’s ability to encrypt and decrypt data to the current user (you).
Splatting in PowerShell: What Is It and How Does It Work?
# Set the values for the certificate parameters. @$certSplat = @$certSplat = @$certSplat KeyUsage = @ DnsName = ‘DocEncCert’ DnsName = ‘DocEncCert’ (‘KeyEncipherment’,’DataEncipherment’,’KeyAgreement’) ‘DocumentEncryptionCert’ is the type. NotAfter = ‘Cert:CurrentUserMy’ CertStoreLocation = ‘Cert:CurrentUserMy’ (Get-Date). AddYears(2) is a function that calculates the number of years between two dates. # Make a self-signed certificate for document encryption. @certSplat $cert = New-SelfSignedCertificate
Run the command below to acquire the EnhancedKeyUsageList value of the self-signed certificate to see whether it’s valid for code signing.
Select-Object Subject,EnhancedKeyUsageList | $cert
The certificate specifies Document Encryption, as seen in the result below, indicating that the certificate is valid for document encryption.
Verifying the validity of the certificate for document encryption
You may use the Protect-CmsMessage and Unprotect-CmsMessage cmdlets to encrypt and decode information now that you have a document encryption certificate.
Conclusion
This post was written to show you how to get self-signed certificates rapidly for your testing and development purposes. You learnt how to make self-signed certificates with a variety of settings and for a variety of uses.
There are more parameters that you may investigate that were not covered in this post. Consider producing a S/MIME certificate for email security or a certificate with more advanced methods. You’ll very certainly need to learn how to export and import such certifications as well. Best of luck!
.Subject -like “*localsite.com” | LocalMachineMy Select-Object Subject,DnsNameList,Thumbprint,NotBefore,NotAfter,NotBefore,NotAfter,NotBefore,NotAfter,NotBefore,NotAfter,NotBefore
As you can see in the example below, there may be many certificates that match the subject name you’re looking for. In such instance, go through the list of certificates to see which one you want to clone. After you’ve made your decision, make a duplicate of the thumbprint on the certificate.
Obtaining a list of current certifications
2. Run the command below to get the old certificate once you’ve identified the certificate to clone and copied its thumbprint. Make sure you use the thumbprint you copied in the previous step as the Thumbprint value.
# Retrieve the certificate and save it to the $certToClone variable. Get-Item Cert:LocalMachineMy $certToClone = Get-Item Cert:LocalMachineMy $certToClone = Get-Item Cert:
3. Run New-SelfSignedCertificate with the CloneCert argument to produce a new certificate by copying the old.
# Create a self-signed certificate that is copied $certToClone = New-SelfSignedCertificate -CloneCert $cert = New-SelfSignedCertificate -CloneCert
The new certificate will have the same validity time as the old certificate if the NotBefore and NotAfter parameters are not specified (i.e., two years). The current date and time minus ten minutes will be used as the NotBefore value.
Run the same procedure but add the NotAfter option to give the new certificate a different validity term. For example, use the command below to make the certificate valid for four years.
# Generate a four-year cloned self-signed certificate $cert = New-SelfSignedCertificate -CloneCert $certToClone -NotAfter; $cert = New-SelfSignedCertificate -CloneCert $certToClone; $cert = New-SelfS (Get-Date). AddYears(4)
4. Finally, check the new certificate you’ve produced using the command below.
# Show the attributes of the copied certificate $cert | Select-Object Subject,DnsNameList,Thumbprint,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not,Not, Before,NotAfter
You’ve now cloned the self-signed certificate with the same topic and alternate names as the original, as seen below. The fingerprint, beginning date, and ending date are all new.
Viewing the attributes of a self-signed certificate clone
Creating a Certificate for Code Signing
You must sign your scripts using a code-signing certificate to verify that they have a digital signature. Code-signing certificates may be be created using the New-SelfSignedCertificate cmdlet.
How to Sign a PowerShell Script is a related topic (And Run It)
Run the New-SelfSignedCertificate command in PowerShell to produce a self-signed code-signing certificate. The Type argument indicates that a CodeSigningCert certificate type should be created. For a period of 24 months, the certificate will be valid. With the NotAfter argument, specifying a specified validity period is optional.
# Create a self-signed code signing certificate with a 24-month validity period. $cert = New-SelfSignedCertificate -Subject CodeSigningCert -NotAfter $cert = New-SelfSignedCertificate -Subject CodeSigningCert -NotAfter (Get-Date). -Type CodeSigningCert -AddMonths(24)
Run the command below after creating the code-signing certificate to ensure that the EnhancedKeyUsageList value indicates that the certificate’s valid key use is Code Signing.
Select-Object Subject,EnhancedKeyUsageList | $cert
Verifying the validity of the certificate for code signing
Creating a Certificate for Document Encryption
When you have papers or emails that you want to keep safe from prying eyes, encryption is one technique to do it. But first, you’ll need a document encryption certificate, which you can produce using the New-SelfSignedCertificate cmdlet.
The New-SelfSignedCertificate cmdlet needs a specified set of KeyUsage parameters to build a document encryption certificate. These are the values:
- DataEncryption – The certificate may be used to encrypt data.
- Encryption of secret/private keys will be possible with the certificate.
- KeyAgreement — The certificate will be valid for generating cryptographic keys in Elliptic Curve Cryptography, for example.
DocumentEncryptionCert must also be the Type parameter value.
To generate a self-signed certificate for document encryption, use the command below. For a period of two years, the certificate will be valid. The code below utilizes splatting to specify the argument values to make the command more understandable.
Because encrypting material is usually done for personal use, the document encryption certificate should be created in the current user’s personal certificate store. This limits the certificate’s ability to encrypt and decrypt data to the current user (you).
Splatting in PowerShell: What Is It and How Does It Work?
# Set the values for the certificate parameters. @$certSplat = @$certSplat = @$certSplat KeyUsage = @ DnsName = ‘DocEncCert’ DnsName = ‘DocEncCert’ (‘KeyEncipherment’,’DataEncipherment’,’KeyAgreement’) ‘DocumentEncryptionCert’ is the type. NotAfter = ‘Cert:CurrentUserMy’ CertStoreLocation = ‘Cert:CurrentUserMy’ (Get-Date). AddYears(2) is a function that calculates the number of years between two dates. # Make a self-signed certificate for document encryption. @certSplat $cert = New-SelfSignedCertificate
Run the command below to acquire the EnhancedKeyUsageList value of the self-signed certificate to see whether it’s valid for code signing.
Select-Object Subject,EnhancedKeyUsageList | $cert
The certificate specifies Document Encryption, as seen in the result below, indicating that the certificate is valid for document encryption.
Verifying the validity of the certificate for document encryption
You may use the Protect-CmsMessage and Unprotect-CmsMessage cmdlets to encrypt and decode information now that you have a document encryption certificate.
Conclusion
This post was written to show you how to get self-signed certificates rapidly for your testing and development purposes. You learnt how to make self-signed certificates with a variety of settings and for a variety of uses.
There are more parameters that you may investigate that were not covered in this post. Consider producing a S/MIME certificate for email security or a certificate with more advanced methods. You’ll very certainly need to learn how to export and import such certifications as well. Best of luck!
The “new yorker” is a magazine that has been around for over 150 years. The publication covers the news of New York City and its surrounding areas.
Related Tags
- news today
- new york times
- new news
- new york news
- new scientist
