New SelfSignedCertificate - PowerShell

Overview

The New-SelfSignedCertificate command creates a self-signed certificate and adds it to the local certificate store. It is commonly used when secure communication is needed but a trusted certificate authority is not readily available.

Syntax

New-SelfSignedCertificate [-Subject <String>] [-NotAfter <DateTime>] [-KeyUsage <KeyUsage>] [-KeyAlgorithm <String>] [-Provider <String>] [-FriendlyName <String>] [-DnsName <String[]>] [-CertStoreLocation <CertStoreLocation>] [-KeyLength <Int32>] [-HashAlgorithm <String>] [-ValidityPeriod <Int32>] [-IncludeEmailProtection <Boolean>] [-Signer <String>]

Options/Flags

• -Subject: Specifies the subject name for the certificate.
• -NotAfter: Sets the expiration date for the certificate.
• -KeyUsage: Defines the intended key usage(s) for the certificate (e.g., DigitalSignature, KeyEncipherment, DataEncipherment).
• -KeyAlgorithm: Specifies the algorithm to use for the certificate key (e.g., RSA, ECC).
• -Provider: Selects the certificate provider to use (e.g., Microsoft Enhanced Cryptographic Provider v1.0).
• -FriendlyName: Assigns a friendly name to the certificate for easier identification.
• -DnsName: Adds specified DNS names as subject alternative names to the certificate.
• -CertStoreLocation: Determines the location in the certificate store where the certificate will be placed (e.g., CurrentUser, LocalMachine).
• -KeyLength: Sets the key length for the certificate (default: 2048 bits).
• -HashAlgorithm: Specifies the hash algorithm to use for signing the certificate (e.g., SHA256, SHA512).
• -ValidityPeriod: Defines the validity period of the certificate in days (default: 397).
• -IncludeEmailProtection: Includes email protection in the certificate (default: false).
• -Signer: Signs the certificate using the specified certificate (requires a signing certificate with appropriate permissions).

Examples

• Create a self-signed certificate with a friendly name:

New-SelfSignedCertificate -FriendlyName "MySelfSignedCert"

• Generate a certificate with specific DNS names:

New-SelfSignedCertificate -DnsName "example.com" -DnsName "www.example.com"

• Create a certificate with a custom validity period:

New-SelfSignedCertificate -ValidityPeriod 730

• Sign a certificate using an existing certificate:

$cert = New-SelfSignedCertificate -FriendlyName "RootCert"
New-SelfSignedCertificate -Signer $cert.Thumbprint

Common Issues

• Missing Provider: Ensure the specified certificate provider is installed and registered in the system.
• Insufficient Permissions: Verify that the user has sufficient permissions to create certificates in the target certificate store.
• Certificate Not Trusted: Self-signed certificates are not automatically trusted by all applications. Import the certificate into the trusted root certificate store for trusted communication.

Integration

• Integration with PowerShell DSC: Use the New-SelfSignedCertificate command in PowerShell DSC configurations to provision self-signed certificates for secure configurations.
• Combined with Get-Certificate: Use Get-Certificate to retrieve the certificate after creation and perform further operations (e.g., export, install).

Related Commands

• Get-Certificate
• Set-Certificate
• New-Certificate