creating valid test SSL certificates for IIS creating valid test SSL certificates for IIS powershell powershell

creating valid test SSL certificates for IIS


wcf powershell ssl iis certificate

The new version of New-SelfSignedCertificate, which included on Windows 10, is described here. One can use New-SelfSignedCertificate -? and get-help New-SelfSignedCertificate -examples to get some additional information.

The documentation and the examples could seems still not clear enough for creating two certificates:

  • one self-signed certificate, which will be used as CA certificate from your example
  • the second SSL certificate, which signed with the first certificate.

The implementation could be the following (I wrote below the option in multiple lines only to make the text more readable):

New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096    -Subject "CN=My Test (PowerShell) Root Authority,O=OK soft GmbH,C=DE"    -KeyUsage DigitalSignature,CertSign -NotAfter (get-date).AddYears(10)    -CertStoreLocation "Cert:\CurrentUser\My" -Type Custom

the output will look like

    Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\MyThumbprint                                Subject----------                                -------B7DE93CB88E99B01D166A986F7BF2D82A0E541FF  CN=My Test (PowerShell) Root Authority, O=OK soft GmbH, C=DE

The value B7DE93CB88E99B01D166A986F7BF2D82A0E541FF is important for usage the certificate for signing. If you forget the value you can find it by CN name

dir cert:\CurrentUser\My | where Subject -Like "CN=My Test (PowerShell)*"

or by usage certutil.exe -user -store My to display certificates on My store of the current user.

To create SSL certificate and to sign it with respect of previously created certificate one can do for example the following

New-SelfSignedCertificate -Type Custom -Subject "CN=ok01.no-ip.org"    -HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048    -KeyUsage KeyEncipherment,DigitalSignature    -CertStoreLocation "cert:\LocalMachine\My"    -Signer cert:\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF    -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.17={text}DNS=ok01.no-ip.org&DNS=ok01.fritz.box")

It seems to me that the final certificate will have all properties required. It's clear that the values from many from above parameters contains examples only any you have to modify there based on your requirements. I don't describe here some other common steps like importing root certificate in Trusted Root, exporting the certificates and so on. The steps are not the psrt of your main question.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last