New SelfSignedCertificate - PowerShell


The New-SelfSignedCertificate command creates a self-signed certificate and adds it to the local certificate store. It is commonly used when secure communication is needed but a trusted certificate authority is not readily available.


New-SelfSignedCertificate [-Subject <String>] [-NotAfter <DateTime>] [-KeyUsage <KeyUsage>] [-KeyAlgorithm <String>] [-Provider <String>] [-FriendlyName <String>] [-DnsName <String[]>] [-CertStoreLocation <CertStoreLocation>] [-KeyLength <Int32>] [-HashAlgorithm <String>] [-ValidityPeriod <Int32>] [-IncludeEmailProtection <Boolean>] [-Signer <String>]


  • -Subject: Specifies the subject name for the certificate.
  • -NotAfter: Sets the expiration date for the certificate.
  • -KeyUsage: Defines the intended key usage(s) for the certificate (e.g., DigitalSignature, KeyEncipherment, DataEncipherment).
  • -KeyAlgorithm: Specifies the algorithm to use for the certificate key (e.g., RSA, ECC).
  • -Provider: Selects the certificate provider to use (e.g., Microsoft Enhanced Cryptographic Provider v1.0).
  • -FriendlyName: Assigns a friendly name to the certificate for easier identification.
  • -DnsName: Adds specified DNS names as subject alternative names to the certificate.
  • -CertStoreLocation: Determines the location in the certificate store where the certificate will be placed (e.g., CurrentUser, LocalMachine).
  • -KeyLength: Sets the key length for the certificate (default: 2048 bits).
  • -HashAlgorithm: Specifies the hash algorithm to use for signing the certificate (e.g., SHA256, SHA512).
  • -ValidityPeriod: Defines the validity period of the certificate in days (default: 397).
  • -IncludeEmailProtection: Includes email protection in the certificate (default: false).
  • -Signer: Signs the certificate using the specified certificate (requires a signing certificate with appropriate permissions).


  • Create a self-signed certificate with a friendly name:
New-SelfSignedCertificate -FriendlyName "MySelfSignedCert"
  • Generate a certificate with specific DNS names:
New-SelfSignedCertificate -DnsName "" -DnsName ""
  • Create a certificate with a custom validity period:
New-SelfSignedCertificate -ValidityPeriod 730
  • Sign a certificate using an existing certificate:
$cert = New-SelfSignedCertificate -FriendlyName "RootCert"
New-SelfSignedCertificate -Signer $cert.Thumbprint

Common Issues

  • Missing Provider: Ensure the specified certificate provider is installed and registered in the system.
  • Insufficient Permissions: Verify that the user has sufficient permissions to create certificates in the target certificate store.
  • Certificate Not Trusted: Self-signed certificates are not automatically trusted by all applications. Import the certificate into the trusted root certificate store for trusted communication.


  • Integration with PowerShell DSC: Use the New-SelfSignedCertificate command in PowerShell DSC configurations to provision self-signed certificates for secure configurations.
  • Combined with Get-Certificate: Use Get-Certificate to retrieve the certificate after creation and perform further operations (e.g., export, install).