Create a self-signed certificate on Windows server
Create a self-signed certificate on Windows server

If you don’t have your own PKI and just want to perform some tests on a specific application or OS feature, you will probably need to generate a self-signed certificate. You can easily achieve this on Windows server without any additional tool or product. With the newer version of Windows server (since the version Windows server 2012), a new powershell cmdlet can generate this kind of certificate : New-SelfSignedCertificate
The command is quite simple:

New-SelfSignedCertificate -KeyUsage DigitalSignature,KeyEncipherment -KeyLength 2048 -KeyAlgorithm RSA -DnsName mywebserver.domain.local -Type SSLServerAuthentication -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")

In this example, the self signed certificate will be created with the following options:
– Subject CN and SAN Dns Name: mywebserver.domain.local
– Public key: RSA (2048 bits)
– Key usage: DigitalSignature and KeyEncipherment
– Enhanced key usage: Server Authentication (1.3.6.1.5.5.7.3.1)

Before Windows server 2012 (Windows 2008), the powershell cmdlet New-SelfSignedCertificate is not available.
In this scenario, you can use instead the builtin cli tool called certreq.exe. First, you have to write a definition file we will called def.ini:

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=mywebserver.domain.local"

KeyLength = 2048
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = Cert

[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=mywebserver.domain.local"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%"

After that, launch the certreq.exe command:
certreq.exe -new def.ini my.req

In the command above, the file my.req is the certificate request file. The ini file contains the line : RequestType = Cert
With this line, the self-signed certificate will be created automatically. You can now find it by opening your Certificate MMC snap-in (Local Machine)

You will find below more information on:
New-SelfSignedCertificate
certreq.exe and inf structure

<>

My Powershell script categories

Create a self-signed certificate on Windows server

Leave a Reply

Your email address will not be published. Required fields are marked *