If you don’t have your own PKI and just want to perform some tests on a specific application or OS feature, you will probably need to generate a self-signed certificate. You can easily achieve this on Windows server without any additional tool or product. With the newer version of Windows server (since the version Windows server 2012), a new powershell cmdlet can generate this kind of certificate : New-SelfSignedCertificate
The command is quite simple:
New-SelfSignedCertificate -KeyUsage DigitalSignature,KeyEncipherment -KeyLength 2048 -KeyAlgorithm RSA -DnsName mywebserver.domain.local -Type SSLServerAuthentication -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
In this example, the self signed certificate will be created with the following options:
– Subject CN and SAN Dns Name: mywebserver.domain.local
– Public key: RSA (2048 bits)
– Key usage: DigitalSignature and KeyEncipherment
– Enhanced key usage: Server Authentication (1.3.6.1.5.5.7.3.1)
Before Windows server 2012 (Windows 2008), the powershell cmdlet New-SelfSignedCertificate is not available.
In this scenario, you can use instead the builtin cli tool called certreq.exe. First, you have to write a definition file we will called def.ini:
[Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=mywebserver.domain.local" KeyLength = 2048 KeySpec = 1 KeyUsage = 0xA0 MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 SMIME = FALSE RequestType = Cert [Strings] szOID_SUBJECT_ALT_NAME2 = "2.5.29.17" szOID_ENHANCED_KEY_USAGE = "2.5.29.37" szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1" [Extensions] %szOID_SUBJECT_ALT_NAME2% = "{text}dns=mywebserver.domain.local" %szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%"
After that, launch the certreq.exe command:
certreq.exe -new def.ini my.req
In the command above, the file my.req is the certificate request file. The ini file contains the line : RequestType = Cert
With this line, the self-signed certificate will be created automatically. You can now find it by opening your Certificate MMC snap-in (Local Machine)
You will find below more information on:
– New-SelfSignedCertificate
– certreq.exe and inf structure
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare