Windows Server 2016: Generate Self-Signed Certificate
Windows Server 2016: Generate Self-Signed Certificate
// -------------------------------
// To create self-signed certificate under Windows Powershell
// ************
// -- To create a certificate for the DNS name test.contoso.com and place it to
// the list of personal certificates on a computer, run the following command:
// Note: The commands in BOLD are on a single line
6) Command Prompt > Powershell
New-SelfSignedCertificate -DnsName test.contoso.com -CertStoreLocation cert:\LocalMachine\My
// This command creates a certificate and imports it in a personal store of the
// computer. Having opened certlm.msc snap-in, make sure that a new certificate // has appeared in the Personal section of the certificate storage.
// By default, a self-signed certificate is generated with the following settings:
//
// Cryptographic algorithm: RSA;
// Key length: 2048 bit;
// Acceptable key usage: Client Authentication and Server Authentication;
// The certificate can be used for: Digital Signature, Key Encipherment;
// Validity period: 1 year.
//
// As you can see, the certificate properties indicate that this certificate can be
// used for Client Authentication, but it is also valid for Server Authentication.
// ************
To issue a certificate for 3 years, run the following commands:
// Note: The commands in BOLD are on a single line
7) Command Prompt > Powershell
$todaydt = Get-Date
$3years = $todaydt.AddYears(3)
New-SelfSignedCertificate -dnsname test.contoso.com -notafter $3years -CertStoreLocation cert:\LocalMachine\My
// ************
// In order to export the generated certificate with a private key to a password
// protected PFX file, you will need its thumbprint. It can be copied from the
// results of New-SelfSignedCertificate command:
// Note: The commands in BOLD are on a single line
7) Command Prompt > Powershell
$CertPassword = ConvertTo-SecureString -String “YourPassword” -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\test.pfx -Password $CertPassword
// ************
// Note: The commands in BOLD are on a single line
7) Command Prompt > Powershell
// The certificate public key can be exported as follows:
Export-Certificate -Cert Cert:\LocalMachine\My\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\tstcert.cer
// This public key or the certificate file itself can be installed on a web-server or
// domain clients using GPO
// (How to install a certificate on a domain PCs using GPO).
// One of the useful features of New-SelfSignedCertificate cmdlet is the
// opportunity to create a certificate with several different names Subject
// Alternative Names (SAN).
// Note: When creating a certificate with several names, the first name in
// DnsName parameter will be used as CN (Common Name) of a certificate.
// For example, let’s create a self-signed SAN certificate with the following
// names:
/*
// The command will look like this:
New-SelfSignedCertificate -DnsName adfs1.contoso.com,web_gw.contoso.com,enterprise_reg.contoso.com -CertStoreLocation cert:\LocalMachine\My
// Add certificates to MMC
A) [Server Manager] > run command > mmc (i.e. Microsoft Management Console) > Console > File > Add/Remove Snap-in > Certificates > Add > select (x) Computer Account > under Certificates/Personal/Certificates, the new certificate should appear.
// -------------------------------
// To create self-signed certificate under Windows Powershell
// ************
// -- To create a certificate for the DNS name test.contoso.com and place it to
// the list of personal certificates on a computer, run the following command:
// Note: The commands in BOLD are on a single line
6) Command Prompt > Powershell
New-SelfSignedCertificate -DnsName test.contoso.com -CertStoreLocation cert:\LocalMachine\My
// This command creates a certificate and imports it in a personal store of the
// computer. Having opened certlm.msc snap-in, make sure that a new certificate // has appeared in the Personal section of the certificate storage.
// By default, a self-signed certificate is generated with the following settings:
//
// Cryptographic algorithm: RSA;
// Key length: 2048 bit;
// Acceptable key usage: Client Authentication and Server Authentication;
// The certificate can be used for: Digital Signature, Key Encipherment;
// Validity period: 1 year.
//
// As you can see, the certificate properties indicate that this certificate can be
// used for Client Authentication, but it is also valid for Server Authentication.
// ************
To issue a certificate for 3 years, run the following commands:
// Note: The commands in BOLD are on a single line
7) Command Prompt > Powershell
$todaydt = Get-Date
$3years = $todaydt.AddYears(3)
New-SelfSignedCertificate -dnsname test.contoso.com -notafter $3years -CertStoreLocation cert:\LocalMachine\My
// ************
// In order to export the generated certificate with a private key to a password
// protected PFX file, you will need its thumbprint. It can be copied from the
// results of New-SelfSignedCertificate command:
// Note: The commands in BOLD are on a single line
7) Command Prompt > Powershell
$CertPassword = ConvertTo-SecureString -String “YourPassword” -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\test.pfx -Password $CertPassword
// ************
// Note: The commands in BOLD are on a single line
7) Command Prompt > Powershell
// The certificate public key can be exported as follows:
Export-Certificate -Cert Cert:\LocalMachine\My\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath C:\tstcert.cer
// This public key or the certificate file itself can be installed on a web-server or
// domain clients using GPO
// (How to install a certificate on a domain PCs using GPO).
// One of the useful features of New-SelfSignedCertificate cmdlet is the
// opportunity to create a certificate with several different names Subject
// Alternative Names (SAN).
// Note: When creating a certificate with several names, the first name in
// DnsName parameter will be used as CN (Common Name) of a certificate.
// For example, let’s create a self-signed SAN certificate with the following
// names:
/*
- Subject Name (CN): adfs1.contoso.com
- Subject Alternative Name (DNS): web_gw.contoso.com
- Subject Alternative Name (DNS): enterprise_reg.contoso.com
// The command will look like this:
New-SelfSignedCertificate -DnsName adfs1.contoso.com,web_gw.contoso.com,enterprise_reg.contoso.com -CertStoreLocation cert:\LocalMachine\My
// Add certificates to MMC
A) [Server Manager] > run command > mmc (i.e. Microsoft Management Console) > Console > File > Add/Remove Snap-in > Certificates > Add > select (x) Computer Account > under Certificates/Personal/Certificates, the new certificate should appear.
Comments
Post a Comment