Creating a self-signed certificate using Microsoft PowerShell is a powerful and practical way to secure applications, test HTTPS locally, and enable encrypted communication without purchasing a certificate from a Certificate Authority (CA). Whether you are a developer, system administrator, or IT enthusiast, understanding how to generate and manage self-signed certificates is an essential skill in modern computing.
This detailed guide will walk you through everything—from basic concepts to advanced usage—so you can confidently create, export, and use self-signed certificates on Windows systems.
Introduction to Self-Signed Certificates
A self-signed certificate is a digital certificate that is signed by the same entity whose identity it certifies. Unlike certificates issued by trusted Certificate Authorities such as DigiCert or Let’s Encrypt, self-signed certificates are not automatically trusted by browsers or operating systems.
However, they are extremely useful in the following scenarios:
- Local development environments
- Testing HTTPS-enabled applications
- Internal tools within an organization
- Learning and experimentation
- Secure communication in isolated systems
Although they are not suitable for public-facing production websites (due to trust warnings), they serve as an excellent tool for controlled environments.
Why Use PowerShell for Certificate Creation?
PowerShell provides built-in cmdlets that make it easy to create and manage certificates without installing additional tools. The key advantages include:
- Native support in Windows 10 and Windows 11
- No need for third-party software
- Automation-friendly (scripts can be reused)
- Secure handling of certificates and keys
The most important cmdlet you will use is:
New-SelfSignedCertificate
Prerequisites
Before you begin, ensure the following:
- You are using Windows 10, Windows 11, or Windows Server
- PowerShell is running with Administrator privileges
- You have basic knowledge of command-line usage
To open PowerShell as administrator:
- Press Windows + S
- Search for PowerShell
- Right-click and select Run as administrator
Understanding Certificate Stores
Windows stores certificates in structured locations known as certificate stores. The most commonly used stores are:
- Cert:\LocalMachine\My → Certificates for the entire system
- Cert:\CurrentUser\My → Certificates for the current user
When creating a certificate, you must decide where it should be stored.
Method 1: Create a Basic Self-Signed Certificate
Let’s start with the simplest method.
Command:
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "Cert:\LocalMachine\My"
Explanation:
- -DnsName “localhost” → Defines the domain name
- -CertStoreLocation → Specifies where the certificate is stored
This command creates a certificate for localhost and stores it in the Local Machine store.
Method 2: Create a Certificate with Custom Name and Expiry
To have more control, you can specify additional parameters.
Command:
New-SelfSignedCertificate `
-DnsName "example.local" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-FriendlyName "My Test Certificate" `
-NotAfter (Get-Date).AddYears(2)
Key Parameters:
- FriendlyName → A human-readable name
- NotAfter → Expiration date
This creates a certificate valid for 2 years.
Method 3: Create a Certificate with Multiple Domain Names
If your application uses multiple domains, you can include them:
New-SelfSignedCertificate `
-DnsName "example.local","www.example.local","api.example.local" `
-CertStoreLocation "Cert:\LocalMachine\My"
This is useful for testing multi-domain applications.
Method 4: Create a Certificate for Code Signing
Self-signed certificates can also be used for signing scripts.
New-SelfSignedCertificate `
-Type CodeSigningCert `
-Subject "CN=MyCodeSigningCert" `
-CertStoreLocation "Cert:\CurrentUser\My"
This allows you to sign PowerShell scripts securely.
Viewing Created Certificates
To list certificates:
Get-ChildItem -Path Cert:\LocalMachine\My
To filter by name:
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*example*"}
Exporting a Self-Signed Certificate
After creating a certificate, you may want to export it for use in applications like IIS or browsers.
Step 1: Export as PFX (with private key)
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*example.local*"}
$password = ConvertTo-SecureString -String "Password123" -Force -AsPlainTextExport-PfxCertificate -Cert $cert -FilePath "C:\certificate.pfx" -Password $password
Step 2: Export as CER (public key only)
Export-Certificate -Cert $cert -FilePath "C:\certificate.cer"
Importing the Certificate
To trust your self-signed certificate:
Import-Certificate -FilePath "C:\certificate.cer" -CertStoreLocation "Cert:\LocalMachine\Root"
This adds the certificate to the Trusted Root Certification Authorities store.
Using the Certificate with IIS
If you’re hosting a website on IIS:
- Open IIS Manager
- Go to Server Certificates
- Import your
.pfxfile - Bind the certificate to your website
This enables HTTPS for your local or internal site.
Using the Certificate in Browsers
Browsers like Chrome and Edge rely on the Windows certificate store.
Steps:
- Import the certificate into Trusted Root Certification Authorities
- Restart your browser
- Visit your HTTPS site
You should no longer see security warnings.
Advanced Options in New-SelfSignedCertificate
Here are some advanced parameters:
1. Key Length
-KeyLength 2048
2. Key Algorithm
-KeyAlgorithm RSA
3. Enhanced Key Usage
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
This specifies server authentication.
Automating Certificate Creation with Scripts
You can automate the process:
$dns = "myapp.local"
$cert = New-SelfSignedCertificate -DnsName $dns -CertStoreLocation "Cert:\LocalMachine\My"$password = ConvertTo-SecureString -String "1234" -Force -AsPlainTextExport-PfxCertificate -Cert $cert -FilePath "C:$dns.pfx" -Password $password
This is useful for DevOps and CI/CD pipelines.
Common Errors and Fixes
1. Access Denied
- Run PowerShell as Administrator
2. Certificate Not Trusted
- Import into Trusted Root store
3. Browser Still Shows Warning
- Clear SSL cache
- Restart browser
4. Certificate Not Found
- Ensure correct store path
Security Considerations
While self-signed certificates are useful, they have limitations:
- Not trusted by default
- Vulnerable to man-in-the-middle attacks if misused
- Not suitable for public production websites
Always use CA-issued certificates for live environments.
When Should You Use Self-Signed Certificates?
Use them when:
- Developing locally
- Testing APIs or web apps
- Running internal tools
- Learning SSL/TLS concepts
Avoid using them for:
- E-commerce websites
- Public services
- Sensitive data transmission over the internet
Best Practices
- Use strong key lengths (2048 or higher)
- Set reasonable expiration dates
- Protect private keys with passwords
- Remove unused certificates regularly
- Use meaningful friendly names
Removing a Certificate
To delete a certificate:
Remove-Item -Path "Cert:\LocalMachine\My\<Thumbprint>"
Replace <Thumbprint> with the actual value.
Conclusion
Creating a self-signed certificate using PowerShell is a straightforward yet powerful process that can significantly enhance your development and testing workflows. With just a few commands, you can generate, export, and use certificates for secure communication without relying on external services.
PowerShell simplifies certificate management by providing flexible and scriptable tools, making it ideal for both beginners and advanced users. While self-signed certificates are not a replacement for CA-issued certificates in production environments, they are invaluable for local testing, internal systems, and educational purposes.
By following the steps in this guide, you now have the knowledge to create and manage self-signed certificates efficiently and securely.
