How to Generate a Self-Signed Certificate Using PowerShell

How to Generate a Self-Signed Certificate Using PowerShell


Overview

There may come a time when a certificate is needed for testing purposes, and a certification authority (CA) is not readily available. The sample script below provides the following:

    -Self-signed certificates in the Local Machine Personal store
    -2048 lenth private keys marked exportable
    -Ability to generate multiple certificates at once
    -Ability to select a Subject
    -Ability to select from five Enhanced Key Usage (EKU) object identifiers (OIDs)
            Server Authentication
            Client Authentication
            Smart Card Authentication
            Encrypting File System
            Code Signing

The sample can be easily modified to specify other private key and certificate object properties of choice.    


Screenshot





Sample Powershell Code

Note: This script sample is provided AS-IS with no warranties and confers no rights.

#SCRIPT SAMPLE TITLE - Generate Self-signed Certificates
  
#AUTHOR - Adam Conkle - Microsoft Corporation
  
#VERSION - 1.1
  
   
  
$ErrorActionPreference = "SilentlyContinue" 
  
   
  
#write header
  
Write-Host "`n WARNING: This script sample is provided AS-IS with no warranties and confers no rights." -ForegroundColor Yellow 
  
Write-Host "`n This script sample will generate self-signed certificates with private key" 
  
Write-Host " in the Local Computer Personal certificate store." 
  
   
  
#find out how many certs they want to self-sign
  
[int]$Iterations = Read-Host "`n How many certificates would you like to generate?" 
  
$ContextAnswer = Read-Host "`n Store certificates in the User or Computer store? (U/C)"
  
If ($ContextAnswer -eq "U")
{
    $machineContext = 0
    $initContext = 1
}
ElseIF ($ContextAnswer -eq "C")
{
    $machineContext = 1
    $initContext = 2
}
Else
{
    Write-Host "`n Invalid selection. Exiting`n`n" -ForegroundColor Red
    Exit
}
  
For ($Count = 1; $Count -le $Iterations; $Count++)
  
      {
  
            $Subject = Read-Host "`n Enter the Subject for certificate `#$Count" 
  
   
  
            #Generate cert in local computer My store
  
   
  
            $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" 
  
   
  
            $name.Encode("CN=$Subject", 0)
  
   
  
            $key = new-object -com "X509Enrollment.CX509PrivateKey.1" 
  
   
  
            $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
  
   
  
            $key.KeySpec = 1
  
   
  
            $key.Length = 2048
  
   
  
            $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" 
  
   
  
            $key.MachineContext = $machineContext
  
              
  
            $key.ExportPolicy = 1
  
   
  
            $key.Create()
  
              
  
            $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" 
  
              
  
            $NothingAnsweredYes = $true 
  
            While ($NothingAnsweredYes)
  
                  {
  
                        Write-Host "`n Add Enhanced Key Usage `(EKU`) by answering Y/N to the following`:" 
  
                        $AddServerAuth = Read-Host " Server Authentication?" 
  
                        $AddClientAuth = Read-Host " Client Authentication?" 
  
                        $AddSmartCardAuth = Read-Host " Smart Card Authentication?" 
  
                        $AddEFS = Read-Host " EFS?" 
  
                        $AddCodeSigning = Read-Host " Code Signing?" 
  
                          
  
                        If (($AddServerAuth -eq "Y") -or ($AddClientAuth -eq "Y") -or ($AddSmartCardAuth -eq "Y") -or ($AddEFS -eq "Y") -or ($AddCodeSigning -eq "Y"))
  
                              {
  
                                    $NothingAnsweredYes = $false 
  
                              }
  
                          
  
                        If ($NothingAnsweredYes)
  
                              {
  
                                    Write-Host "`n You must select at least one EKU for certificate `#$Count." 
  
                              }
  
                                
  
                        If ($AddServerAuth -eq "Y")
  
                              {
  
                                    $serverauthoid = new-object -com "X509Enrollment.CObjectId.1" 
  
                                    $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
  
                                    $ekuoids.add($serverauthoid)
  
                              }
  
                                
  
                        If ($AddClientAuth -eq "Y")
  
                              {
  
                                    $clientauthoid = new-object -com "X509Enrollment.CObjectId.1" 
  
                                    $clientauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.2")
  
                                    $ekuoids.add($clientauthoid)
  
                                      
  
                              }
  
                                
  
                        If ($AddSmartCardAuth -eq "Y")
  
                              {
  
                                    $smartcardoid = new-object -com "X509Enrollment.CObjectId.1" 
  
                                    $smartcardoid.InitializeFromValue("1.3.6.1.4.1.311.20.2.2")
  
                                    $ekuoids.add($smartcardoid)
  
                              }
  
                                
  
                        If ($AddEFS -eq "Y")
  
                              {
  
                                    $efsoid = new-object -com "X509Enrollment.CObjectId.1" 
  
                                    $efsoid.InitializeFromValue("1.3.6.1.4.1.311.10.3.4")
  
                                    $ekuoids.add($efsoid)
  
                              }
  
                                
  
                        If ($AddCodeSigning -eq "Y")
  
                              {
  
                                    $codesigningoid = new-object -com "X509Enrollment.CObjectId.1" 
  
                                    $codesigningoid.InitializeFromValue("1.3.6.1.5.5.7.3.3")
  
                                    $ekuoids.add($codesigningoid)
  
                              }
  
                  }
  
   
  
            $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" 
  
   
  
            $ekuext.InitializeEncode($ekuoids)
  
   
  
            $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" 
  
   
  
            $cert.InitializeFromPrivateKey($initContext, $key, "")
  
   
  
            $cert.Subject = $name 
  
   
  
            $cert.Issuer = $cert.Subject
  
   
  
            $cert.NotBefore = get-date 
  
   
  
            $cert.NotAfter = $cert.NotBefore.AddDays(1825)
  
   
  
            $cert.X509Extensions.Add($ekuext)
  
   
  
            $cert.Encode()
  
   
  
            $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" 
  
   
  
            $enrollment.InitializeFromRequest($cert)
  
   
  
            $certdata = $enrollment.CreateRequest(0)
  
   
  
            $enrollment.InstallResponse(2, $certdata, 0, "")
  
      }
  
   
  
Write-Host "`n`tFinished`n" -ForegroundColor Green
  
##################################

 

Sort by: Published Date | Most Recent | Most Useful
Comments
  • Adam Conkle - MSFT edited Revision 4. Comment: Added ability to choose between User and Computer stores

Page 1 of 1 (1 items)