How to Generate a Self-Signed Certificate Using PowerShell

How to Generate a Self-Signed Certificate Using PowerShell


Overview

There may come a time when a certificate is needed for testing purposes, and a certification authority (CA) is not readily available. The sample script below provides the following:

    -Self-signed certificates in the Local Machine Personal store
    -2048 lenth private keys marked exportable
    -Ability to generate multiple certificates at once
    -Ability to select a Subject
    -Ability to select from five Enhanced Key Usage (EKU) object identifiers (OIDs)
            Server Authentication
            Client Authentication
            Smart Card Authentication
            Encrypting File System
            Code Signing

The sample can be easily modified to specify other private key and certificate object properties of choice.    


Screenshot





Sample Powershell Code

Note: This script sample is provided AS-IS with no warranties and confers no rights.

#SCRIPT SAMPLE TITLE - Generate Self-signed Certificates

#AUTHOR - Adam Conkle - Microsoft Corporation

#VERSION - 1.0

 

$ErrorActionPreference = "SilentlyContinue"

 

#write header

Write-Host "`n WARNING: This script sample is provided AS-IS with no warranties and confers no rights." -ForegroundColor Yellow

Write-Host "`n This script sample will generate self-signed certificates with private key"

Write-Host " in the Local Computer Personal certificate store."

 

#find out how many certs they want to self-sign

$Iterations = Read-Host "`n How many certificates would you like to generate?"

 

For ($Count = 1; $Count -le $Iterations; $Count++)

      {

            $Subject = Read-Host "`n Enter the Subject for certificate `#$Count"

 

            #Generate cert in local computer My store

 

            $name = new-object -com "X509Enrollment.CX500DistinguishedName.1"

 

            $name.Encode("CN=$Subject", 0)

 

            $key = new-object -com "X509Enrollment.CX509PrivateKey.1"

 

            $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

 

            $key.KeySpec = 1

 

            $key.Length = 2048

 

            $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"

 

            $key.MachineContext = 1

           

            $key.ExportPolicy = 1

 

            $key.Create()

           

            $ekuoids = new-object -com "X509Enrollment.CObjectIds.1"

           

            $NothingAnsweredYes = $true

            While ($NothingAnsweredYes)

                  {

                        Write-Host "`n Add Enhanced Key Usage `(EKU`) by answering Y/N to the following`:"

                        $AddServerAuth = Read-Host " Server Authentication?"

                        $AddClientAuth = Read-Host " Client Authentication?"

                        $AddSmartCardAuth = Read-Host " Smart Card Authentication?"

                        $AddEFS = Read-Host " EFS?"

                        $AddCodeSigning = Read-Host " Code Signing?"

                       

                        If (($AddServerAuth -eq "Y") -or ($AddClientAuth -eq "Y") -or ($AddSmartCardAuth -eq "Y") -or ($AddEFS -eq "Y") -or ($AddCodeSigning -eq "Y"))

                              {

                                    $NothingAnsweredYes = $false

                              }

                       

                        If ($NothingAnsweredYes)

                              {

                                    Write-Host "`n You must select at least one EKU for certificate `#$Count."

                              }

                             

                        If ($AddServerAuth -eq "Y")

                              {

                                    $serverauthoid = new-object -com "X509Enrollment.CObjectId.1"

                                    $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")

                                    $ekuoids.add($serverauthoid)

                              }

                             

                        If ($AddClientAuth -eq "Y")

                              {

                                    $clientauthoid = new-object -com "X509Enrollment.CObjectId.1"

                                    $clientauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.2")

                                    $ekuoids.add($clientauthoid)

                                   

                              }

                             

                        If ($AddSmartCardAuth -eq "Y")

                              {

                                    $smartcardoid = new-object -com "X509Enrollment.CObjectId.1"

                                    $smartcardoid.InitializeFromValue("1.3.6.1.4.1.311.20.2.2")

                                    $ekuoids.add($smartcardoid)

                              }

                             

                        If ($AddEFS -eq "Y")

                              {

                                    $efsoid = new-object -com "X509Enrollment.CObjectId.1"

                                    $efsoid.InitializeFromValue("1.3.6.1.4.1.311.10.3.4")

                                    $ekuoids.add($efsoid)

                              }

                             

                        If ($AddCodeSigning -eq "Y")

                              {

                                    $codesigningoid = new-object -com "X509Enrollment.CObjectId.1"

                                    $codesigningoid.InitializeFromValue("1.3.6.1.5.5.7.3.3")

                                    $ekuoids.add($codesigningoid)

                              }

                  }

 

            $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"

 

            $ekuext.InitializeEncode($ekuoids)

 

            $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"

 

            $cert.InitializeFromPrivateKey(2, $key, "")

 

            $cert.Subject = $name

 

            $cert.Issuer = $cert.Subject

 

            $cert.NotBefore = get-date

 

            $cert.NotAfter = $cert.NotBefore.AddDays(1825)

 

            $cert.X509Extensions.Add($ekuext)

 

            $cert.Encode()

 

            $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"

 

            $enrollment.InitializeFromRequest($cert)

 

            $certdata = $enrollment.CreateRequest(0)

 

            $enrollment.InstallResponse(2, $certdata, 0, "")

      }

 

Write-Host "`n`tFinished`n" -ForegroundColor Green

##################################

Leave a Comment
  • Please add 1 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Richard Mueller edited Revision 2. Comment: Replaced RGB values with color names in HTML to restore colors

  • Richard Mueller edited Revision 1. Comment: Removed (en-US) from title, added tag

  • Craig Lussier edited Original. Comment: added en-US to tags and title

Page 1 of 1 (3 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Craig Lussier edited Original. Comment: added en-US to tags and title

  • Richard Mueller edited Revision 1. Comment: Removed (en-US) from title, added tag