# IT:AD:PowerShell:HowTo:Create A Self-Signed Certificate # * [[../|(UP)]] {{indexmenu>.#2|nsort tsort}} * See: * [[IT/AD/MakeCert/]] * [[IT/AD/Certificates/HowTo/Create/]] * [[IT/AD/IIS Express/HowTo/Configure/SSL/]] ## Process ## Get-Command -Module PKI Will show you several commands: CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Add-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Export-Certificate 1.0.0.0 PKI Cmdlet Export-PfxCertificate 1.0.0.0 PKI Cmdlet Get-Certificate 1.0.0.0 PKI Cmdlet Get-CertificateAutoEnrollmentPolicy 1.0.0.0 PKI Cmdlet Get-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Get-CertificateNotificationTask 1.0.0.0 PKI Cmdlet Get-PfxData 1.0.0.0 PKI Cmdlet Import-Certificate 1.0.0.0 PKI Cmdlet Import-PfxCertificate 1.0.0.0 PKI Cmdlet New-CertificateNotificationTask 1.0.0.0 PKI Cmdlet New-SelfSignedCertificate 1.0.0.0 PKI Cmdlet Remove-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Remove-CertificateNotificationTask 1.0.0.0 PKI Cmdlet Set-CertificateAutoEnrollmentPolicy 1.0.0.0 PKI Cmdlet Switch-Certificate 1.0.0.0 PKI Cmdlet Test-Certificate 1.0.0.0 PKI ### Create a New Cert We can use New-SelfSignedCertificate [-SecurityDescriptor ] [-TextExtension ] [-Extension ] [-HardwareKeyUsage ] [-KeyUsageProperty ] [-KeyUsage ] [-KeyProtection ] [-KeyExportPolicy ] [-KeyLength ] [-KeyAlgorithm ] [-SmimeCapabilities] [-ExistingKey] [-KeyLocation ] [-SignerReader ] [-Reader ] [-SignerPin ] [-Pin ] [-KeyDescription ] [-KeyFriendlyName ] [-Container ] [-Provider ] [-CurveExport ] [-KeySpec ] [-Type ] [-FriendlyName ] [-NotAfter ] [-NotBefore ] [-SerialNumber ] [-Subject ] [-DnsName ] [-SuppressOid ] [-HashAlgorithm ] [-AlternateSignatureAlgorithm] [-TestRoot] [-Signer ] [-CloneCert ] [-CertStoreLocation ] [-WhatIf] [-Confirm] [] To make a new cert: New-SelfSignedCertificate -DnsName "localhost", "localhost" -CertStoreLocation "cert:\LocalMachine\My" -DnsName "www.fabrikam.com", "www.contoso.com" -FriendlyName "Shared Dev localhost" -KeyUsageProperty All -NotAfter (Get-Date).AddMonths(84) -KeyExportPolicy Exportable -KeyFriendlyName "Localhost Key" -SignatureAlgorithm SHA512 - StoreLocation Machine (rather than CurrentUser) ### Create a Cert to File $pwd = ConvertTo-SecureString -String ‘passw0rd!’ -Force -AsPlainText $cert = New-SelfSignedCertificate -DnsName "localhost" -FriendlyName "DEV Shared Localhost" -HashAlgorithm SHA512 -NotAfter (Get-Date).AddMonths(120) ### Export the Cert The above command installs the cert where located. To export it to the rest of the team: $path = 'cert:\LocalMachine\my\' + $cert.thumbprint $pwd = ConvertTo-SecureString -String ‘passw0rd!’ -Force -AsPlainText Export-PfxCertificate -cert $path -FilePath '.\dev-localhost.pfx' -Password $pwd ### Chrome Chrome can be a real cow. * If it is returning `NET::ERR_CERT_AUTHORITY_INVALID` One option is to type the type the following into a new tab: chrome://flags/#allow-insecure-localhost ## Resources ## * https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/new-selfsignedcertificate * http://woshub.com/how-to-create-self-signed-certificate-with-powershell/ * https://stackoverflow.com/questions/43676993/how-do-i-change-my-iis-express-ssl-certificate-for-one-that-will-work-with-chrom