Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save dreammaster38/05c0d3c25f1996e34812c1cf1d451a6c to your computer and use it in GitHub Desktop.
Save dreammaster38/05c0d3c25f1996e34812c1cf1d451a6c to your computer and use it in GitHub Desktop.
Powershell Self Signed Certificate
# Create Self signed root certificate
# -dnsname -DnsName,
# -Subject "CN=Patti Fuller,OU=UserAccounts,DC=corp,DC=contoso,DC=com"
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" `
-KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 4096 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign `
-KeyUsage CertSign `
-NotAfter (Get-Date).AddYears(5)
# Generate certificates from root (For Client Authentication only) (Not for web server)
New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-NotAfter (Get-Date).AddMonths(24) `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("{text}")
# Generate certificate from root for web service
New-SelfSignedCertificate -Type Custom `
-Subject "CN=P2SChildCertWeb" -KeyExportPolicy Exportable `
-DnsName "","","" `
-HashAlgorithm sha256 -KeyLength 2048 `
-KeyUsage "KeyEncipherment", "DigitalSignature" `
-NotAfter (Get-Date).AddMonths(24) `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert
# if not on the same powershell session (Take note of the thumbprint)
Get-ChildItem -Path "Cert:\CurrentUser\My"
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My\THUMBPRINT"
# Delete Certificate with key
Remove-Item -Path "cert:\LocalMachine\CA\THUMBPRINT" -DeleteKey
# Export as PFX
$PFXPass = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
Export-PfxCertificate -Cert cert:\CurrentUser\My\THUMBPRINT `
-Password $PFXPass `
-FilePath C:\TEMP\Service-adatum-local.pfx
# Export Normal
# Exports a certificate to the file system as a DER-encoded .cer file without its private key.
Export-Certificate -Cert $cert -FilePath c:\certs\user.cer
# Exports a certificate to the file system as a PKCS#7-fomatted .p7b file without its private key.
Export-Certificate -Cert $cert -FilePath c:\certs\user.p7b -Type p7b
# Certificate Types
# EKU TYPES (Enhanced Key Usage) (
# Signing Software (
-KeySpec "Signature"
-KeyUsage "DigitalSignature"
# Normal Web Server Usage ( (
# FOR "Server Authentication", "Client authentication"
-KeyUsage "KeyEncipherment, DigitalSignature"
# Email ( )"
-KeyUsage "KeyEncipherment, DigitalSignature"
#Timestamping ( )
# Text Extension for the ROOT CA ( Basic Constraint)
-TextExtension @(" ={critical} {text}ca=1&pathlength=3")
# Where ca=1 defines the cert as a signing CA and pathlength=3 is arbitrary- it defines how many SubCa's can be present
# For the Subordinate certificate
-TextExtension @(" = {critical} {text}ca=1&pathlength=0")
# Where ca=1 defines the cert as a signing CA and pathlength=0 defines that there is no other signing CA'a below this one.
# -------------------------------------------------------
# Purpose of Certificate Required Key Usage Bit
CA Signing keyCertSign
Certificate Signing keyCertSign
SSL Client digitalSignature
SSL Server keyEncipherment
Object Signing digitalSignature
S/MIME Signing digitalSignature
S/MimE Encryption keyEncipherment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment