Name
New-SelfSignedCertificateEx
SYNOPSIS
This cmdlet generates a self-signed certificate.
SYNTAX
New-SelfSignedCertificateEx [-Subject] <String> [[-NotBefore] <DateTime>] [[-NotAfter] <DateTime>] [-SerialNumber <String>] [-ProviderName <String>] [-AlgorithmName <String>] [-KeyLength <Int32>] [-KeySpec <String> {Exchange | Signature}] [-EnhancedKeyUsage <Oid[]>] [-KeyUsage <X509KeyUsageFlags>] [-SubjectAlternativeName <String[]>] [-IsCA <Boolean>] [-PathLength <Int32>] [-CustomExtension <X509ExtensionCollection>] [-SignatureAlgorithm <String> {MD5 | SHA1 | SHA256 | SHA384 | SHA512}] [-FriendlyName <String>] [-StoreLocation <StoreLocation>] [-StoreName <StoreName>] [-AllowSMIME] [-Exportable] [<CommonParameters>]
New-SelfSignedCertificateEx [-Subject] <String> [[-NotBefore] <DateTime>] [[-NotAfter] <DateTime>] [-SerialNumber <String>] [-ProviderName <String>] [-AlgorithmName <String>] [-KeyLength <Int32>] [-KeySpec <String> {Exchange | Signature}] [-EnhancedKeyUsage <Oid[]>] [-KeyUsage <X509KeyUsageFlags>] [-SubjectAlternativeName <String[]>] [-IsCA <Boolean>] [-PathLength <Int32>] [-CustomExtension <X509ExtensionCollection>] [-SignatureAlgorithm <String> {MD5 | SHA1 | SHA256 | SHA384 | SHA512}] [-FriendlyName <String>] -Path <FileInfo> -Password <SecureString> [-AllowSMIME] [-Exportable] [<CommonParameters>]
DESCRIPTION
This cmdlet generates a self-signed certificate with the various options.
PARAMETERS
-Subject<String>
Specifies the certificate subject in a X500 distinguished name format.
Example: CN=Test Cert, OU=Sandbox
| Required? | True |
| Position? | 0 |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-NotBefore<DateTime>
Specifies the date and time when the certificate become valid. By default previous day date is used.
| Required? | False |
| Position? | 1 |
| Default value | Previous day's date |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-NotAfter<DateTime>
Specifies the date and time when the certificate expires. By default, the certificate is valid for 1 year.
| Required? | False |
| Position? | 2 |
| Default value | 1 year from current day |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-SerialNumber<String>
Specifies the desired serial number in a hex format.
Example: 01a4ff2
If not specified, serial number is generated automatically.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-ProviderName<String>
Specifies the Cryptography Service Provider (CSP) name. You can use either legacy CSP and Key Storage Providers (KSP). By default "Microsoft Enhanced Cryptographic Provider v1.0" CSP is used.
| Required? | False |
| Position? | named |
| Default value | Microsoft Enhanced Cryptographic Provider v1.0 |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-AlgorithmName<String>
Specifies the public key algorithm. By default RSA algorithm is used. RSA is the only algorithm supported by legacy CSPs. With key storage providers (KSP) you can use CNG algorithms, like ECDH. For CNG algorithms
you must use full name:
ECDH_P256
ECDH_P384
ECDH_P521
In addition, KeyLength parameter must be specified explicitly when non-RSA algorithm is used.
| Required? | False |
| Position? | named |
| Default value | RSA |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-KeyLength<Int32>
Specifies the key length to generate. By default 2048-bit key is generated.
| Required? | False |
| Position? | named |
| Default value | 2048 |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-KeySpec<String>
Specifies the public key operations type. The possible values are: Exchange and Signature. Default value is Exchange.
| Required? | False |
| Position? | named |
| Default value | Exchange |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-EnhancedKeyUsage<Oid[]>
Specifies the intended uses of the public key contained in a certificate. You can specify either, EKU friendly name (for example 'Server Authentication') or object identifier (OID) value (for example '1.3.6.1.5.5.7.3.1').
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-KeyUsage<X509KeyUsageFlags>
Specifies restrictions on the operations that can be performed by the public key contained in the certificate. Possible values (and their respective integer values to make bitwise operations) are:
EncipherOnly
CrlSign
KeyCertSign
KeyAgreement
DataEncipherment
KeyEncipherment
NonRepudiation
DigitalSignature
DecipherOnly
you can combine key usages values by using bitwise OR operation. when combining multiple flags, they must be enclosed in quotes and separated by a comma character. For example, to combine KeyEncipherment and DigitalSignature flags you should type: "KeyEncipherment,
DigitalSignature".
If the certificate is CA certificate (see IsCA parameter), key usages extension is generated automatically with the following key usages: Certificate Signing, Off-line CRL Signing, CRL Signing.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-SubjectAlternativeName<String[]>
Specifies alternative names for the subject. Unlike Subject field, this extension allows to specify more than one name. Also, multiple types of alternative names are supported. The cmdlet supports the following SAN
types:
RFC822 Name
IP address (both, IPv4 and IPv6)
Guid
Directory name
DNS name
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-IsCA<Boolean>
Specifies whether the certificate is CA (IsCA = $true) or end entity (IsCA = $false) certificate. If this parameter is set to $false, PathLength parameter is ignored. Basic Constraints extension is marked as critical.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-PathLength<Int32>
Specifies the number of additional CA certificates in the chain under this certificate. If PathLength parameter is set to zero, then no additional (subordinate) CA certificates are permitted under this CA.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-CustomExtension<X509ExtensionCollection>
Specifies the custom extension to include to a self-signed certificate. This parameter must not be used to specify the extension that is supported via other parameters. In order to use this parameter, the extension must be formed in a collection of initialized System.Security.Cryptography.X509Certificates.X509Extension objects.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-SignatureAlgorithm<String>
Specifies signature algorithm used to sign the certificate. By default 'SHA1' algorithm is used.
| Required? | False |
| Position? | named |
| Default value | SHA1 |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-FriendlyName<String>
Specifies friendly name for the certificate.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-StoreLocation<StoreLocation>
Specifies the store location to store self-signed certificate. Possible values are: 'CurrentUser' and 'LocalMachine'. 'CurrentUser' store is intended for user certificates and computer (as well as CA) certificates must be stored in 'LocalMachine' store.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-StoreName<StoreName>
Specifies the container name in the certificate store. Possible container names are:
AddressBook
AuthRoot
CertificateAuthority
Disallowed
My
Root
TrustedPeople
TrustedPublisher
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-AllowSMIME<SwitchParameter>
Enables Secure/Multipurpose Internet Mail Extensions for the certificate.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-Exportable<SwitchParameter>
Marks private key as exportable. Smart card providers usually do not allow exportable keys.
| Required? | False |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-Path<FileInfo>
Specifies the path to a PFX file to export a self-signed certificate.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
-Password<SecureString>
Specifies the password for PFX file.
| Required? | True |
| Position? | named |
| Default value | |
| Accept pipeline input?? | false |
| Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".
INPUTS
None.
OUTPUTS
None.
NOTES
Author: Vadims Podans
Blog: http://en-us.sysadmins.lv
EXAMPLES
-------------- Example 1 --------------
PS C:\> New-SelfsignedCertificateEx -Subject "CN=Test Code Signing" -EKU "Code Signing" -KeySpec "Signature" ` -KeyUsage "DigitalSignature" -FriendlyName "Test code signing" -NotAfter $((Get-Date).AddYears(5))
Creates a self-signed certificate intended for code signing and which is valid for 5 years. Certificate is saved in the Personal store of the current user account.
-------------- Example 2 --------------
PS C:\> New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Client authentication" ` -KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" ` -AllowSMIME -Path C:\test\ssl.pfx -Password (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) -Exportable ` -StoreLocation "LocalMachine"
Creates a self-signed SSL certificate with multiple subject names and saves it to a file. Additionally, the certificate is saved in the Personal store of the Local Machine store. Private key is marked as exportable, so you can export the certificate with a associated private key to a file at any time. The certificate includes SMIME capabilities.
-------------- Example 3 --------------
PS C:\> New-SelfsignedCertificateEx -Subject "CN=www.domain.com" -EKU "Server Authentication", "Client authentication" ` -KeyUsage "KeyEcipherment, DigitalSignature" -SAN "sub.domain.com","www.domain.com","192.168.1.1" ` -StoreLocation "LocalMachine" -ProviderName "Microsoft Software Key Storae Provider" -AlgorithmName ecdh_256 ` -KeyLength 256 -SignatureAlgorithm sha256
Creates a self-signed SSL certificate with multiple subject names and saves it to a file. Additionally, the certificate is saved in the Personal store of the Local Machine store. Private key is marked as exportable, so you can export the certificate with a associated private key to a file at any time. Certificate uses Ellyptic Curve Cryptography (ECC) key algorithm ECDH with 256-bit key. The certificate is signed by using SHA256 algorithm.
-------------- Example 4 --------------
PS C:\> New-SelfsignedCertificateEx -Subject "CN=Test Root CA, OU=Sandbox" -IsCA $true -ProviderName `"Microsoft Software Key Storage Provider" -Exportable
Creates self-signed root CA certificate.
RELATED LINKS