Generate Self-signed certificate with Root CA Signer

The ultimate solution in my case, avoiding makecert and openssl was to use Powershell and BouncyCastle. I forked the PSBouncyCastle repo from PSBouncyCastle by RLipscombe and pushed 1.8.1 Bouncy Castle in. My forked version is the one I've used for the script, the fork resides at Forked: PSBouncyCastle.New.

I then used StackOverflow: C# Generate Certificates on the Fly as inspiration to write the following powershell below, I will be adding this to my GitHub and commenting, and I will amend this as soon as I do:

Import-Module -Name PSBouncyCastle.Newfunction New-SelfSignedCertificate {  [CmdletBinding()]  param (    [string]$SubjectName,    [string]$FriendlyName = "New Certificate",    [object]$Issuer,    [bool]$IsCA = $false,    [int]$KeyStrength = 2048,    [int]$ValidYears = 2,    [hashtable]$EKU = @{}  )  # Needed generators  $random = New-SecureRandom  $certificateGenerator = New-CertificateGenerator  if($Issuer -ne $null -and $Issuer.HasPrivateKey -eq $true)  {    $IssuerName = $Issuer.IssuerName.Name    $IssuerPrivateKey = $Issuer.PrivateKey  }  # Create and set a random certificate serial number  $serial = New-SerialNumber -Random $random  $certificateGenerator.SetSerialNumber($serial)  # The signature algorithm  $certificateGenerator.SetSignatureAlgorithm('SHA256WithRSA')  # Basic Constraints - certificate is allowed to be used as intermediate.  # Powershell requires either a $null or reassignment or it will return this from the function  $certificateGenerator = Add-BasicConstraints -isCertificateAuthority $IsCA -certificateGenerator $certificateGenerator  # Key Usage  if($EKU.Count -gt 0)   {    $certificateGenerator = $certificateGenerator | Add-ExtendedKeyUsage @EKU  }  # Create and set the Issuer and Subject name  $subjectDN = New-X509Name -Name ($SubjectName)  if($Issuer -ne $null) {    $IssuerDN = New-X509Name -Name ($IssuerName)  }  else   {    $IssuerDN = New-X509Name -Name ($SubjectName)  }    $certificateGenerator.SetSubjectDN($subjectDN)  $certificateGenerator.SetIssuerDN($IssuerDN)  # Authority Key and Subject Identifier  if($Issuer -ne $null)  {    $IssuerKeyPair = ConvertTo-BouncyCastleKeyPair -PrivateKey $IssuerPrivateKey    $IssuerSerial = [Org.BouncyCastle.Math.BigInteger]$Issuer.GetSerialNumber()    $authorityKeyIdentifier = New-AuthorityKeyIdentifier -name $Issuer.IssuerName.Name -publicKey $IssuerKeyPair.Public -serialNumber $IssuerSerial    $certificateGenerator = Add-AuthorityKeyIdentifier -certificateGenerator $certificateGenerator -authorityKeyIdentifier $authorityKeyIdentifier  }  # Validity range of the certificate  [DateTime]$notBefore = (Get-Date).AddDays(-1)  if($ValidYears -gt 0) {    [DateTime]$notAfter = $notBefore.AddYears($ValidYears)  }  $certificateGenerator.SetNotBefore($notBefore)  $certificateGenerator.SetNotAfter($notAfter)  # Subject public key ~and private  $subjectKeyPair = New-KeyPair -Strength $keyStrength -Random $random  if($IssuerPrivateKey -ne $null)  {    $IssuerKeyPair = [Org.BouncyCastle.Security.DotNetUtilities]::GetKeyPair($IssuerPrivateKey)  }  else   {    $IssuerKeyPair = $subjectKeyPair  }  $certificateGenerator.SetPublicKey($subjectKeyPair.Public)  # Create the Certificate  $IssuerKeyPair = $subjectKeyPair  $certificate = $certificateGenerator.Generate($IssuerKeyPair.Private, $random)  # At this point you have the certificate and need to convert it and export, I return the private key for signing the next cert  $pfxCertificate = ConvertFrom-BouncyCastleCertificate -certificate $certificate -subjectKeyPair $subjectKeyPair -friendlyName $FriendlyName  return $pfxCertificate}

A few examples of usage for this powershell would be:

Generate a Root CA

$TestRootCA = New-SelfSignedCertificate -subjectName "CN=TestRootCA" -IsCA $trueExport-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx

Generate a Standard Self Signed

$TestSS = New-SelfSignedCertificate -subjectName "CN=TestLocal"Export-Certificate -Certificate $TestSS -OutputFile "TestLocal.pfx" -X509ContentType Pfx

Generate a certificate, signing with a root certificate

$TestRootCA = New-SelfSignedCertificate -subjectName "CN=TestRootCA" -IsCA $true$TestSigned = New-SelfSignedCertificate -subjectName "CN=TestSignedByRoot" -issuer $TestRootCAExport-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType PfxExport-Certificate -Certificate $test -OutputFile "TestRootCA.pfx" -X509ContentType Pfx

Generate a Self-Signed with Specific Usage

$TestServerCert = New-SelfSignedCertificate -subjectName "CN=TestServerCert" -EKU @{ "ServerAuthentication" = $true }

Note that the -EKU parameter accepts via splatting, it does this to ensure that anything added to Add-ExtendedKeyUsage is validly passed. It accepts the following certificate usages:

• DigitalSignature
• NonRepudiation
• KeyEncipherment
• DataEncipherment
• KeyAgreement
• KeyCertSign
• CrlSign
• EncipherOnly
• DecipherOnly

This fits my need and seems to work across all Windows Platforms we are using for dynamic environments.

How about simply doing this:

$cert = New-SelfSignedCertificate -FriendlyName "MyCA"      -KeyExportPolicy ExportableEncrypted       -Provider "Microsoft Strong Cryptographic Provider"       -Subject "SN=TestRootCA" -NotAfter (Get-Date).AddYears($ExpiryInYears)       -CertStoreLocation Cert:\LocalMachine\My -KeyUsageProperty All       -KeyUsage CertSign, CRLSign, DigitalSignature

Important parameters are -KeyUsageProperty and -KeyUsage.

"Itiverba Self-Signed certificate generator" (http://www.itiverba.com/en/software/itisscg.php) is a free GUI tool for Windows that allows you to create your own CA certificates and sign end-certificates with it. You can export the certificates in PEM, CER, DER, PFX file formats.

It's just 3 lines to encode :
Subject: CN="Testcorp - Private CA"
Basic Constraints: V (checked)
Basic Constraints / Subject Type: CA

Give a file name and select a file format, then click on the "create certificate" button. Your Custom CA certificate is done.