Inicio > windows > How To Create A Self-Signed Computer Certificate using PowerShell Step-By-Step; Much Easier Than MakeCert.exe

How To Create A Self-Signed Computer Certificate using PowerShell Step-By-Step; Much Easier Than MakeCert.exe



I need to create a self-signed computer certificate to use for authentication between my Windows Server 2012 Server and Windows Azure.  The same process will work for other versions of windows and for communication with other applications.  In my case, I am using it for Windows Azure Backup but the steps would be the same for other certificates where you want to have a computer authenticate via a self-signed certificate.  With the script the process is super simple and it was written in such a way that you don’t need to make any changes to the script.  In order to achieve this, I need to create the certificate, install it on the local computer and export it to a file so I can then upload it to Windows Azure.  All of this can be done by simply copying and pasting the code into a PowerShell Window or PowerShell ISE window if you want to change the parameters by simply changing two variable and running it!  The two variables are

1)  Where do you want to store the exported file. ($certfilepath = “c:\”

2) What you want to call the certificate  ($certfilename = “GuruCert_”)

Experience Microsoft’s latest products with these FREE downloads!

PowerShell Source Follows:  Downloadable .TXT version of script can be found at:

# SelfSignedCertificate.ps1 
# Written By Dan Stolts 
# Purpose Create, Install and Export a self-signed certificate 
#   In my case, I am using this for my Windows Server 2012 server to Authenticate with Windows Azure Backup
# Source download Location... 
$certfilepath = "c:\"     #Where do you want to export the file to?  Include trailing backslash
$certfilename = "GuruCert_"  #what name would you like for the cert (used for Certificate Name and Exported Filename) [no extension]
$certfilename += hostname    # Append the host name to the cert name

$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=" + $certfilename , 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 2048
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(900)

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")

# Let user know the certificate is now installed
Write "The following <$certfilename> certs are now installed..."
dir -recurse cert:\localmachine\My | Where-Object { $_.Subject -eq ("CN=" + $certfilename)} | Format-Table subject, thumbprint, notbefore -AutoSize

# Get the thumbprint from the last created certificate of the name we just created - so we can export it to a file
$thumbprint=(dir cert:\localmachine\My -recurse | where {$_.Subject -match "CN=" + $certfilename} | Select-Object -Last 1).thumbprint
Write  "Exporting cert:\LocalMachine\My\$thumbprint to $certfilepath$certfilename.cer ... "
dir cert:\localmachine\My -recurse | where {$_.thumbprint -match $thumbprint} # Display the certificate we will be exporting

# Do the export
$filelocation = $certfilepath ; $filelocation += $certfilename; $filelocation +=(".cer") # Concatinate the destination filename and path

Export-certificate -FilePath $filelocation -Cert cert:\localmachine\My\$thumbprint
Write "The certificate that was just installed/exported is: cert:\LocalMachine\My\$thumbprint $filelocation"

# Special Thanks to: 
#     Vishal Agarwal for his work at 
#     Steve Wiseman for his work at 
#  Their work was leveraged for this script
# Thanks for using scripts created by

OK… So it does not look that simple right… Well that is because it is doing plenty. However, all you have to do is paste into a PowerShell command window and watch the magic. If you do want to tweak it; like changing the name of the cert or the output location…  You can ignore all the lines that start with a pound (#)  they are just comments.  Then it is the first two or three lines of the script that you have to change to put in your own values.


1) Run PowerShell from the machine you want to create certificate on: To run any application with elevated privileges (as Administrator) simply right-click on that program from the menu and select Run as Administrator.  Step-By-Step: Start then type PowerShell then Right-Click on PowerShell icon and select Run as Administrator.  This is also known as Administrative Permissions.

2) Highlight the text between the lines above; right-click select copy

3) Right-click the PowerShell window to paste and watch the magic…

4) Navigate to c:\ to see your new certificate which will be called “GuruCert_YourMachineName

If you found this helpful, please Tweet:

Thanks @ITProGuru for #PowerShell How To Create A Self-Signed Computer Certificate using PowerShell Step-By-Step

– See more at:

Categorías:windows Etiquetas:
  1. Aún no hay comentarios.
  1. No trackbacks yet.


Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de

Estás comentando usando tu cuenta de Cerrar sesión /  Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )


Conectando a %s

A %d blogueros les gusta esto: