Create a self-signed certificate on Windows server

Create a self-signed certificate on Windows server

If you don’t have your own PKI and just want to perform some tests on a specific application or OS feature, you will probably need to generate a self-signed certificate. You can easily achieve this on Windows server without any additional tool or product. With the newer version of Windows server (since the version Windows server 2012), a new powershell cmdlet can generate this kind of certificate : New-SelfSignedCertificate
The command is quite simple:

In this example, the self signed certificate will be created with the following options:
– Subject CN and SAN Dns Name: mywebserver.domain.local
– Public key: RSA (2048 bits)
– Key usage: DigitalSignature and KeyEncipherment
– Enhanced key usage: Server Authentication (

Before Windows server 2012 (Windows 2008), the powershell cmdlet New-SelfSignedCertificate is not available.
In this scenario, you can use instead the builtin cli tool called certreq.exe. First, you have to write a definition file we will called def.ini:

After that, launch the certreq.exe command:
certreq.exe -new def.ini my.req

In the command above, the file my.req is the certificate request file. The ini file contains the line : RequestType = Cert
With this line, the self-signed certificate will be created automatically. You can now find it by opening your Certificate MMC snap-in (Local Machine)

You will find below more information on:
certreq.exe and inf structure


My Powershell script categories

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.