Geek Answers Handbook

Create Strong SSL Certificates for IIS

I want to test SSL connections in a development environment using IIS. To do this, I need to collect a self-signed root certificate that is installed in the repository, as well as another certificate that signs with the root certificate for installation in IIS.

Running this with makecert now deprecated, so I'm wondering how to do this with Powershell and the New-SelfSignedCertificate .

Bonus points if you use the key usage parameters correctly :-)

Note. Using a self-signed certificate certified directly in IIS does not work, because the browser and WCF consider them invalid.

for reference, here's how to do it with makecert:

 # create the self signed root certificate makecert -n "CN=root.lan" -r -sv root.pvk root.cer # create the certificate for IIS that gets signed with the root certificate makecert -sk "Local Certificate" -iv root.pvk -n "CN=localhost" -ic root.cer -sr localmachine -ss my -sky exchange -pe # convert to other formats cert2spc localhost.cer localhost.spc pvk2pfx -pvk localhost.pvk -spc localhost.spc -pfx localhost.pfx
+6
source share
1 answer

The new version of New-SelfSignedCertificate , which is included in Windows 10, is described here . For more information, you can use New-SelfSignedCertificate -? and get-help New-SelfSignedCertificate -examples .

The documentation and examples may not seem clear enough to create two certificates:

  • one self-signed certificate that will be used as the CA certificate from your example
  • a second SSL certificate signed with the first certificate.

The implementation may be as follows (I wrote the option below in several lines just to make the text more readable):

 New-SelfSignedCertificate -HashAlgorithm sha384 -KeyAlgorithm RSA -KeyLength 4096 -Subject "CN=My Test (PowerShell) Root Authority,O=OK soft GmbH,C=DE" -KeyUsage DigitalSignature,CertSign -NotAfter (get-date).AddYears(10) -CertStoreLocation "Cert:\CurrentUser\My" -Type Custom

the output will look like

  Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My Thumbprint Subject ---------- ------- B7DE93CB88E99B01D166A986F7BF2D82A0E541FF CN=My Test (PowerShell) Root Authority, O=OK soft GmbH, C=DE

The value of B7DE93CB88E99B01D166A986F7BF2D82A0E541FF is important for using a certificate for signing. If you forget the value, you can find it by the name CN

 dir cert:\CurrentUser\My | where Subject -Like "CN=My Test (PowerShell)*"

or using certutil.exe -user -store My to display the certificates in My store of the current user.

To create an SSL certificate and sign it for a previously created certificate, you can do, for example, the following

 New-SelfSignedCertificate -Type Custom -Subject "CN=ok01.no-ip.org" -HashAlgorithm sha256 -KeyAlgorithm RSA -KeyLength 2048 -KeyUsage KeyEncipherment,DigitalSignature -CertStoreLocation "cert:\LocalMachine\My" -Signer cert:\CurrentUser\My\B7DE93CB88E99B01D166A986F7BF2D82A0E541FF -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2","2.5.29.17={text}DNS=ok01.no-ip.org&DNS=ok01.fritz.box")

It seems to me that the final certificate will have all the necessary properties. It is clear that the values โ€‹โ€‹of many of the above parameters contain examples of only those that you should change there based on your requirements. I do not describe here some other general steps, such as importing a root certificate into Trusted Root, exporting certificates, etc. Steps are not psrt of your main question.

+5
source

More articles:


All Articles