SelfSignedCertificate
1.0.0
Table of Contents:
This module is not officially supported. It has been created as a convenience module for the generation of self-signed certificates to simplify the testing of HTTPS functionality.
This module should not be used in any production scenarios; it is designed to create self-signed certificates for testing purposes only.
This module is designed to be a convenient, cross-platform way to generate self-signed certificates in both PowerShell Core and Windows PowerShell 5.1.
Since .NET Core already embeds its own cross-platform cryptography/certificate API, this module is a native PowerShell script module, with no binary dependencies.
Some goals for this module include:
X509HighlySpecificCryptoObject assigning and manipulationYou may want to take a look at a few other alternatives for self-signed certificate generation, listed here:
Windows PowerShell's New-SelfSignedCertificate cmdlet
from the PkiClient module.
It can be used from PowerShell Core on Windows using the WindowsCompatibility module like this:
Install-Module WindowsCompatibility
Import-WinModule PKI
New-SelfSignedCertificate # args as neededHowever, this module is only available on Windows — there is no Linux version.
The dotnet dotnet-dev-certs global tool,
designed for generating self-signed certificates for ASP.NET Core development.
This can be installed from the dotnet CLI.
openssl, which does work cross-platform,
but may not be favorable compared to a PowerShell-native option
and uses a PEM rather than PFX format.
To create a simple certificate the following will work:
> New-SelfSignedCertificate
Certificate written to C:UsersroholtDocumentsDevsandboxcertificate.pfx
Thumbprint Subject EnhancedKeyUsageList
---------- ------- --------------------
A51B016324B5D2F11340CDCC52004B8129C88D3B CN=localhost
This will create a new certificate called certificate.pfx in your CWD
for localhost.
The command itself returns an X509Certificate2 object
describing the certificate written to disk.
You can inspect this object to find its properties.
This certificate will have no key usages, no basic constraints,
no enhanced key usages and a Subject Idenitifer Key extension.
Note: To repeat this command, you will need the -Force parameter
in order to overwrite the old certificate you generated before.
The New-SelfSignedCertificate command allows the specification of
full distinguished names as well as a few other options:
> $password = ConvertTo-SecureString -Force -AsPlainText 'your password'
> $distinguishedName = @{
CommonName = 'example.org'
Country = 'US'
StateOrProvince = 'Nebraska'
Locality = 'Omaha'
Organization = 'Umbrella Corporation'
OrganizationalUnit = 'Sales'
EmailAddress = '[email protected]'
}
> $certificateParameters = $distinguishedName + @{
OutCertPath = 'C:UsersyouDocumentscert.pfx'
StartDate = [System.DateTimeOffset]::Now
Duration = [timespan]::FromDays(365)
Passphrase = $password
CertificateFormat = 'Pfx' # Values from [System.Security.Cryptography.X509Certificates.X509ContentType]
KeyLength = 4096
ForCertificateAuthority = $true
KeyUsage = 'DigitalSignature','KeyEncipherment' # Values from [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]
EnhancedKeyUsage = 'ServerAuthentication','ClientAuthentication'
}
> New-SelfSignedCertificate @certificateParameters -Force
WARNING: Parameter 'EmailAddress' is obsolete. The email name component is deprecated by the PKIX standard
Certificate written to C:UsersroholtDocumentsDevsandboxhere.pfx
Thumbprint Subject EnhancedKeyUsageList
---------- ------- --------------------
7445433CB2BB4948E12794A167C6725DC214AA84 CN=example.org, O... {Server Authentication, Client Authentication}The certificate produced by the above command will have the following properties:
The issuer and subject distinguished name set to:
CN=example.org, OU=Sales, O=Umbrella Corporation, L=Omaha, S=Nebraska, C=US, [email protected]
Password protection (in this case with the password 'Your password').
A one-year validity period starting from the creation time (with the milliseconds truncated).
A 4096-bit RSA key.
A basic constraints extension with CertificateAuthority set to true.
The Digital Signature and Key Encipherment basic key usages indicated.
The Server Authentication and Client Authentication enhanced key usages indicated.
The command also offers the -AdditionalExtension parameter,
which takes an array of System.Security.Cryptography.X509Certificates.X509Extension
to add to any generate certificate.
The module does not yet support PEM files, which are heavily used in the Linux world. While not a certificate format per-se, they are a common encoding of certificates and we should endeavour to support them in some way.
Presently, the author is not aware of PEM support native to PowerShell Core or .NET Core.
The certificate extensions generated by this module
currently all set the Critical field to false to allow greater flexibility.
However it might be desirable to configure
any or all of these to be designated as Critical.
Ideally this could be done without cluttering up the commands already
large number of parameters.
Currently on the ServerAuthentication and ClientAuthentication enhanced
key usages are supported (in constraining way, for ease of use).
Ideally more options for this could be made available.
The module could provide a set of classes that generate X509Extensions
describing commonly used certificate extensions.
This module is MIT licensed. See the LICENSE.txt.
