Create a self-signed certificate on Windows server
Create a self-signed certificate on Windows server

If you don’t have your own PKI and just want to perform some tests on a specific application or OS feature, you will probably need to generate a self-signed certificate. You can easily achieve this on Windows server without any additional tool or product. With the newer version of Windows server (since the version Windows server 2012), a new powershell cmdlet can generate this kind of certificate : New-SelfSignedCertificate
The command is quite simple:

New-SelfSignedCertificate -KeyUsage DigitalSignature,KeyEncipherment -KeyLength 2048 -KeyAlgorithm RSA -DnsName mywebserver.domain.local -Type SSLServerAuthentication -TextExtension @("{text}")

In this example, the self signed certificate will be created with the following options:
– Subject CN and SAN Dns Name: mywebserver.domain.local
– Public key: RSA (2048 bits)
– Key usage: DigitalSignature and KeyEncipherment
– Enhanced key usage: Server Authentication (

Before Windows server 2012 (Windows 2008), the powershell cmdlet New-SelfSignedCertificate is not available.
In this scenario, you can use instead the builtin cli tool called certreq.exe. First, you have to write a definition file we will called def.ini:

Signature="$Windows NT$"

Subject = "CN=mywebserver.domain.local"

KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = Cert


%szOID_SUBJECT_ALT_NAME2% = "{text}dns=mywebserver.domain.local"

After that, launch the certreq.exe command:
certreq.exe -new def.ini my.req

In the command above, the file my.req is the certificate request file. The ini file contains the line : RequestType = Cert
With this line, the self-signed certificate will be created automatically. You can now find it by opening your Certificate MMC snap-in (Local Machine)

You will find below more information on:
certreq.exe and inf structure


My Powershell script categories

Create a self-signed certificate on Windows server

Leave a Reply

Your email address will not be published.