HowTo: Create Self-Signed Certificates with PowerShell
This post covers how to create self-signed certificates using the New-SelfSignedCertificate PowerShell cmdlet. Specifically, it walks through creating your own root certificate authority, exporting public and PFX certificates, and signing new certificates with that root CA.
Deprecation note: The old
makecert.exetool (part of the Windows SDK) is deprecated.New-SelfSignedCertificateis the supported replacement and has been available since Windows 8.1 / Windows Server 2012 R2.
:::note[Key Takeaways]
New-SelfSignedCertificatereplaces the deprecatedmakecert.exefor all self-signed certificate scenarios.- You need to note the certificate thumbprint after creation — it is used to reference the certificate in all subsequent commands.
- Export the PFX (private key + cert) with a strong password; export the CRT (public key only) without one.
- Certificates signed by your root CA must reference it via the
-Signerparameter at creation time. - If you encounter CNG private key errors when using generated certificates with IdentityServer or similar, see Solved: IdentityServer v3 CngKey private key errors. :::
How Do You Create a Root Certificate?
Here is what we are going to do:
- Create the root certificate.
- Define a password string.
- Export the certificate in PFX format, secured with that password.
- Export the public certificate as a
.cer/.crtfile.
In your PowerShell console, run the following (replace the DNS name with something relevant to you):
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "Lab Root Certificate Authority"This will produce output similar to:
Microsoft.PowerShell.Security\Certificate::LocalMachine\my
Thumbprint Subject
---------- -------
F81AFDC2A23B8629580374E64871941476E43F02 CN=Lab Root Certificate AuthorityTake note of the thumbprint — you will need it in the commands that follow.
Now set up a secure password string:
$pwd = ConvertTo-SecureString -String "Please-Use-A-Really-Strong-Password" -Force -AsPlainTextExport the root certificate as a PFX file (private key included):
Export-PfxCertificate -cert cert:\localMachine\my\F81AFDC2A23B8629580374E64871941476E43F02 `
-FilePath root-authority.pfx -Password $pwdExport the public key of the root certificate as a CRT file. This is what you install into "Trusted Root Certification Authorities" on client machines. No password is required for the public certificate:
Export-Certificate -Cert cert:\localMachine\my\F81AFDC2A23B8629580374E64871941476E43F02 `
-FilePath root-authority.crtHow Do You Create a Certificate Signed by Your Root CA?
Here is what we are going to do:
- Load the root authority certificate into a variable.
- Create a new certificate and have the root CA sign it.
- Define a password string.
- Export the new certificate as a PFX file.
- Export the new certificate's public key as a CRT file.
Load the Root Authority Certificate
Use the thumbprint from the step above:
$rootcert = ( Get-ChildItem -Path cert:\LocalMachine\My\F81AFDC2A23B8629580374E64871941476E43F02 )How Do You Sign a New Certificate with the Root CA?
Pass the root certificate via the -Signer parameter:
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "Gateway Certificate" -Signer $rootcertThe DNS name does not need to be resolvable — it can be a friendly label, or a real hostname such as www.example.com. Record the thumbprint displayed in the output.
Define a Password and Export
$pwd2 = ConvertTo-SecureString -String "Please-Use-A-Really-Strong-Password" -Force -AsPlainTextExport the signed certificate as a PFX file:
Export-PfxCertificate -cert cert:\localMachine\my\A01F36FC2A7EB9CD506BD37E201935D6EB58A592 `
-FilePath gateway-certificate.pfx -Password $pwd2Export the public key:
Export-Certificate -Cert cert:\localMachine\my\A01F36FC2A7EB9CD506BD37E201935D6EB58A592 `
-FilePath gateway.crtExtra: How Do You Create Certificates with Subject Alternative Names (SANs)?
Pass multiple DNS names as a comma-separated list to -DnsName:
New-SelfSignedCertificate -DnsName "domain.example.com","anothersubdomain.example.com" `
-CertStoreLocation cert:\LocalMachine\MyExtra: How Do You Create a Wildcard Certificate?
New-SelfSignedCertificate -dnsname "*.example.com" -certstorelocation cert:\localmachine\myNo makecert.exe, no MMC snap-in. If you run into issues using these certificates with IdentityServer or .NET applications — particularly around CNG private key accessibility — the CngKey private key error post covers the most common causes and fixes.
Solution Architect with 30 years in cloud infrastructure, security, identity, and .NET engineering.