I want to test SSL connections in an development environment with IIS. For this i need to crate a self-signed root certificate that gets installed in the machine store, and also another certificate that gets signed with the root certificate to install in IIS.
Doing it with makecert
is deprecated now, so I am wondering how to do it with Powershell and the New-SelfSignedCertificate
command.
Bonus points if you get the key usage settings right :-)
Note: using the self-signed certificated directly in IIS does not work, since the browser and WCF considers them invalid.
for reference, here is how to do it with makecert:
# create the self signed root certificate
makecert -n "CN=root.lan" -r -sv root.pvk root.cer
# create the certificate for IIS that gets signed with the root certificate
makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe
# convert to other formats
cert2spc localhost.cer localhost.spc
pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx
The new version of
New-SelfSignedCertificate
, which included on Windows 10, is described here. One can useNew-SelfSignedCertificate -?
andget-help New-SelfSignedCertificate -examples
to get some additional information.The documentation and the examples could seems still not clear enough for creating two certificates:
The implementation could be the following (I wrote below the option in multiple lines only to make the text more readable):
the output will look like
The value
B7DE93CB88E99B01D166A986F7BF2D82A0E541FF
is important for usage the certificate for signing. If you forget the value you can find it by CN nameor by usage
certutil.exe -user -store My
to display certificates on My store of the current user.To create SSL certificate and to sign it with respect of previously created certificate one can do for example the following
It seems to me that the final certificate will have all properties required. It's clear that the values from many from above parameters contains examples only any you have to modify there based on your requirements. I don't describe here some other common steps like importing root certificate in Trusted Root, exporting the certificates and so on. The steps are not the psrt of your main question.