Create a Self-Signed Certificate Using PowerShell


In today’s Ask the Admin, I’ll show you how to quickly create a self-signed certificate.

Self-signed certificates are not recommended for use in production environments, but come in handy for test scenarios where a certificate is a requirement but you don’t have the time or resources to either buy a certificate or deploy your own Public Key Infrastructure (PKI).

Create a self-signed certificate using PowerShell (Image Credit: Russell Smith)
Create a self-signed certificate using PowerShell (Image Credit: Russell Smith)

But generating self-signed certificates in Windows has traditionally been a bit of a pain, at least if you didn’t have Visual Studio or IIS on hand, as both these products include the ability to generate self-signed certificates. The makecert command line tool was otherwise the “go to” tool, but was only available as part of the Windows SDK, which is a hefty product to download and install just for the sake of using makecert.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Starting in PowerShell version 4.0, Microsoft introduced the New-SelfSignedCertificate cmdlet, making it much easier to create self-signed certificates. To get started, you’ll need a Windows device running PowerShell 4.0 or higher.

  • Open a PowerShell prompt. In Windows 10, type powershell in the search dialog on the taskbar, right-click Windows PowerShell in the list of app results, select Run as administrator from the menu and then enter an administrator username and password. The New-SelfSignedCertificate can only install certificates to the My certificate store, and that requires local administrator rights on the device.
  • If you’re running a different version of Windows, check the PowerShell version by running the code shown below.


If you need to update PowerShell to version 5, you can download the Windows Management Framework for Windows 7 and Windows 8.1 here.

  • Now run the New-SelfSignedCertificate cmdlet as shown below to add a certificate to the local store on your PC, replacing with the fully qualified domain name (FQDN) that you’d like to use.

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname

The next step is to export a self-signed certificate. But first we’ll need to create a password as shown below:
$pwd = ConvertTo-SecureString -String ‘passw0rd!’ -Force -AsPlainText

Now we can export a self-signed certificate using the Export-PfxCertificate cmdlet. We’ll use the password ($pwd) created above, and create an additional string ($path), which specifies the path to the certificate created with New-SelfSignedCertificate cmdlet.
$path = 'cert:\localMachine\my\' + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\temp\cert.pfx -Password $pwd

Note that the c:\temp directory, or whatever directory you specify in the -FilePath parameter, must already exist. You can now import the cert.pfx file to install the certificate.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: