I need to create a self-signed computer certificate to use for authentication between my Windows Server 2012 Server and Windows Azure. The same process will work for other versions of windows and for communication with other applications. In my case, I am using it for Windows Azure Backup but the steps would be the same for other certificates where you want to have a computer authenticate via a self-signed certificate. With the script the process is super simple and it was written in such a way that you don’t need to make any changes to the script. In order to achieve this, I need to create the certificate, install it on the local computer and export it to a file so I can then upload it to Windows Azure. All of this can be done by simply copying and pasting the code into a PowerShell Window or PowerShell ISE window if you want to change the parameters by simply changing two variable and running it! The two variables are
1) Where do you want to store the exported file. ($certfilepath = “c:\”
2) What you want to call the certificate ($certfilename = “GuruCert_”)
Experience Microsoft’s latest products with these FREE downloads!
- Build Your Lab! Download Windows Server 2012, System Center 2012and Hyper-V Server 2012 and get the best virtualization platform and private cloud management solution on the market. Try it FREE now! Step-By-Step
- Don’t Have a Lab? Build Your Lab in the Cloud with Windows Azure Virtual Machines. Try Windows Azure for free with no cost or obligations, and use any OS, language, database or tool. FREE Trial Step-By-Step
PowerShell Source Follows: Downloadable .TXT version of script can be found at: http://ITProGuru.com/downloads/SelfSignedCertificate.txt
# SelfSignedCertificate.ps1 # Written By Dan Stolts http://ITProGuru.com/downloads/SelfSignedCertificate.txt # Purpose Create, Install and Export a self-signed certificate # In my case, I am using this for my Windows Server 2012 server to Authenticate with Windows Azure Backup # Source download Location... http://ITProGuru.com/downloads/SelfSignedCertificate.txt # $certfilepath = "c:\" #Where do you want to export the file to? Include trailing backslash $certfilename = "GuruCert_" #what name would you like for the cert (used for Certificate Name and Exported Filename) [no extension] $certfilename += hostname # Append the host name to the cert name $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" $name.Encode("CN=" + $certfilename , 0) $key = new-object -com "X509Enrollment.CX509PrivateKey.1" $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" $key.KeySpec = 1 $key.Length = 2048 $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" $key.MachineContext = 1 $key.Create() $serverauthoid = new-object -com "X509Enrollment.CObjectId.1" $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.2") $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" $ekuoids.add($serverauthoid) $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" $ekuext.InitializeEncode($ekuoids) $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" $cert.InitializeFromPrivateKey(2, $key, "") $cert.Subject = $name $cert.Issuer = $cert.Subject $cert.NotBefore = get-date $cert.NotAfter = $cert.NotBefore.AddDays(900) $cert.X509Extensions.Add($ekuext) $cert.Encode() $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" $enrollment.InitializeFromRequest($cert) $certdata = $enrollment.CreateRequest(0) $enrollment.InstallResponse(2, $certdata, 0, "") # Let user know the certificate is now installed Write "The following <$certfilename> certs are now installed..." dir -recurse cert:\localmachine\My | Where-Object { $_.Subject -eq ("CN=" + $certfilename)} | Format-Table subject, thumbprint, notbefore -AutoSize # Get the thumbprint from the last created certificate of the name we just created - so we can export it to a file $thumbprint=(dir cert:\localmachine\My -recurse | where {$_.Subject -match "CN=" + $certfilename} | Select-Object -Last 1).thumbprint Write "Exporting cert:\LocalMachine\My\$thumbprint to $certfilepath$certfilename.cer ... " dir cert:\localmachine\My -recurse | where {$_.thumbprint -match $thumbprint} # Display the certificate we will be exporting # Do the export $filelocation = $certfilepath ; $filelocation += $certfilename; $filelocation +=(".cer") # Concatinate the destination filename and path Export-certificate -FilePath $filelocation -Cert cert:\localmachine\My\$thumbprint Write "The certificate that was just installed/exported is: cert:\LocalMachine\My\$thumbprint $filelocation" # # Special Thanks to: # Vishal Agarwal for his work at http://blogs.technet.com/b/vishalagarwal/archive/2009/08/22/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces.aspx # Steve Wiseman for his work at http://www.networksteve.com/?p=7839 # Their work was leveraged for this script # Thanks for using scripts created by ITProGuru.com
OK… So it does not look that simple right… Well that is because it is doing plenty. However, all you have to do is paste into a PowerShell command window and watch the magic. If you do want to tweak it; like changing the name of the cert or the output location… You can ignore all the lines that start with a pound (#) they are just comments. Then it is the first two or three lines of the script that you have to change to put in your own values.
Step-By-Step
1) Run PowerShell from the machine you want to create certificate on: To run any application with elevated privileges (as Administrator) simply right-click on that program from the menu and select Run as Administrator. Step-By-Step: Start then type PowerShell then Right-Click on PowerShell icon and select Run as Administrator. This is also known as Administrative Permissions.
2) Highlight the text between the lines above; right-click select copy
3) Right-click the PowerShell window to paste and watch the magic…
4) Navigate to c:\ to see your new certificate which will be called “GuruCert_YourMachineName”
If you found this helpful, please Tweet:
Thanks @ITProGuru for #PowerShell How To Create A Self-Signed Computer Certificate using PowerShell Step-By-Step http://aka.ms/GuruCert
clipping de internet 