Skip to content

Instantly share code, notes, and snippets.

@RomelSan
Last active May 2, 2024 02:43
Show Gist options
  • Save RomelSan/bea2443684aa0883b117c37bac1de520 to your computer and use it in GitHub Desktop.
Save RomelSan/bea2443684aa0883b117c37bac1de520 to your computer and use it in GitHub Desktop.
Powershell Self Signed Certificate
#-------------------------------------------------------------------------------------
# Create Self signed root certificate
# -dnsname -DnsName domain.example.com,anothersubdomain.example.com
# -Subject "CN=Patti Fuller,OU=UserAccounts,DC=corp,DC=contoso,DC=com"
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" `
-KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 4096 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign `
-KeyUsage CertSign `
-NotAfter (Get-Date).AddYears(5)
# Generate certificates from root (For Client Authentication only) (Not for web server)
New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-NotAfter (Get-Date).AddMonths(24) `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
# Generate certificate from root for web service
New-SelfSignedCertificate -Type Custom `
-Subject "CN=P2SChildCertWeb" -KeyExportPolicy Exportable `
-DnsName "sub.domain.com","www.domain.com","192.168.1.1" `
-HashAlgorithm sha256 -KeyLength 2048 `
-KeyUsage "KeyEncipherment", "DigitalSignature" `
-NotAfter (Get-Date).AddMonths(24) `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert
# if not on the same powershell session (Take note of the thumbprint)
Get-ChildItem -Path "Cert:\CurrentUser\My"
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My\THUMBPRINT"
# Delete Certificate with key
Remove-Item -Path "cert:\LocalMachine\CA\THUMBPRINT" -DeleteKey
# Export as PFX
$PFXPass = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
Export-PfxCertificate -Cert cert:\CurrentUser\My\THUMBPRINT `
-Password $PFXPass `
-FilePath C:\TEMP\Service-adatum-local.pfx
# Export Normal
# Exports a certificate to the file system as a DER-encoded .cer file without its private key.
Export-Certificate -Cert $cert -FilePath c:\certs\user.cer
# Exports a certificate to the file system as a PKCS#7-fomatted .p7b file without its private key.
Export-Certificate -Cert $cert -FilePath c:\certs\user.p7b -Type p7b
#-----------------------------------------------------------
# Certificate Types
# https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps
# EKU TYPES (Enhanced Key Usage) (2.5.19.37)
# Signing Software (1.3.6.1.5.5.7.3.3)
-KeySpec "Signature"
-KeyUsage "DigitalSignature"
# Normal Web Server Usage (1.3.6.1.5.5.7.3.1) (1.3.6.1.5.5.7.3.2)
# FOR "Server Authentication", "Client authentication"
-KeyUsage "KeyEncipherment, DigitalSignature"
# Email (1.3.6.1.5.5.7.3.4 )"
-KeyUsage "KeyEncipherment, DigitalSignature"
#Timestamping (1.3.6.1.5.5.7.3.8 )
#---------------------------------------------------------------
# Text Extension for the ROOT CA (2.5.29.19 Basic Constraint)
-TextExtension @("2.5.29.19 ={critical} {text}ca=1&pathlength=3")
# Where ca=1 defines the cert as a signing CA and pathlength=3 is arbitrary- it defines how many SubCa's can be present
# For the Subordinate certificate
-TextExtension @("2.5.29.19 = {critical} {text}ca=1&pathlength=0")
# Where ca=1 defines the cert as a signing CA and pathlength=0 defines that there is no other signing CA'a below this one.
# -------------------------------------------------------
# Purpose of Certificate Required Key Usage Bit
CA Signing keyCertSign
cRLSign
Certificate Signing keyCertSign
SSL Client digitalSignature
SSL Server keyEncipherment
Object Signing digitalSignature
S/MIME Signing digitalSignature
S/MimE Encryption keyEncipherment
@Fafofu
Copy link

Fafofu commented Jun 1, 2020

Thank you so much! Microsoft does not want to write normal documentation.

@preet-serko
Copy link

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment