Udostępnij za pośrednictwem


Quickly generate, install, and export Self-Signed Certificate in PowerShell on Windows 8.1/2012R2

 

Self-Signed Certificate can be used widely in test, development, Local Web or Cloud Web Sites. This article will introduce a method to quickly generate Self-Signed Certificate, automatically export private key, and install the cert under LocalMachine\My and LocalMachine\Root on Win8.1 and Win2012.

I also wrap the main logic in Form UI, can generate dynamic script to execute, very easy to be used. [This is the complete script downloading link: CodePlex and GitHub]

As far as we know, we have several methods to create Self-Signed certificate. For example, using MakeCert and CertMgr,using SelfSSL or SelfSSL7,using IIS 7/8 management console,or use complicated PowerShell script. These methods require to remember multiple command lines switches, or manual UI operation,or deep understand on details of certificate generation. This method I introduce here is to use Powershell PKI Cmdlet coming from new system, we only need to tell basic Certificate Subject, Private Key Protect password, and Certificate Export Path:

 GenerateSelfSignedCert www.mytest.com MyTestPassword c:\temp\mytest.pfx

The function GenerateSelfSignedCert definition is:

 <# 

.DESCRIPTION 

SelfSignedCertificate AutoScript 

.NOTES 

Author: Freist Li 

Last Updated: 10/30/2014 

#> 

#Cert Genearation Related Functions 

#************************************************************************************** 

#Create Cert, install Cert to My, install Cert to Root, Export Cert as pfx 

Function GenerateSelfSignedCert{ 

Param ( 

$certcn, 

$password, 

$certfilepath 

) 

#Check if the certificate name was used before 

$thumbprintA=(dir cert:\localmachine\My -recurse | where {$_.Subject -match "CN=" + 
 $certcn} | Select-Object -Last 1).thumbprint 

if ($thumbprintA.Length -gt 0) 

{ 

Write-Host "Duplicated Cert Name used" -ForegroundColor Cyan 

return 

} 

else 

{ 

$thumbprintA=New-SelfSignedCertificate -DnsName $certcn -CertStoreLocation cert:\LocalMachine\My 
 |ForEach-Object{ $_.Thumbprint} 

} 

#If generated successfully 

if ($thumbprintA.Length -gt 0) 

{ 

#query the new installed cerificate again 

$thumbprintB=(dir cert:\localmachine\My -recurse | where {$_.Subject -match "CN=" + $certcn} 
 | Select-Object -Last 1).thumbprint 

#If new cert installed sucessfully with the same thumbprint 

if($thumbprintA -eq $thumbprintB ) 

{ 

$message = $certcn + " installed into LocalMachine\My successfully with thumprint "+$thumbprintA 

Write-Host $message -ForegroundColor Cyan 

$mypwd = ConvertTo-SecureString -String $password -Force –§CAsPlainText 

Write-Host "Exporting Certificate as .pfx file" -ForegroundColor Cyan 

Export-PfxCertificate -FilePath $certfilepath -Cert cert:\localmachine\My\$thumbprintA 
 -Password $mypwd 

Write-Host "Importing Certificate to LocalMachine\Root" -ForegroundColor Cyan 

Import-PfxCertificate -FilePath $certfilepath -Password $mypwd 
 -CertStoreLocation cert:\LocalMachine\Root 

} 

else 

{ 

Write-Host "Thumbprint is not the same between new cert and installed cert." -ForegroundColor Cyan 

} 

} 

else 

{ 

$message = $certcn + " is not created" 

Write-Host $message -ForegroundColor Cyan 

} 

}

After certificate is generated and installed,PowerShell will output:

image

In Certificate Manager Console, we can see

image

For the exported .pfx file,can be used with Local Web Service Or Microsoft Azure:

image

Bsaed on above GenerateSelfSignedCert function,I add more code to dynamic generate code to embed different parameters from Form UI. With this way, it can prompt friendly Form UI, generate your expected script, run it directly or copy it to target machine to execute. Because Certificate Installation on machine store needs admin permission, so you should open PowerShell or PowerShell_ISE with Admin Permission

image

The complete script downloading link: CodePlex and GitHub

Regards,

Freist Li from GBSD DSI Team

Comments

  • Anonymous
    November 24, 2014
    so "localmachinemy" for personal"LocalmachineRoot" for root authority..."LocalMachineIntermediate" doesn't work...
  • Anonymous
    May 25, 2015
    Does anyone have any issues regarding directory roots? Such as the one in <a href="helprace.com/it-help-desk">it help</a> that's not very effective. Thanks for the tutorial though