How to Create Self Signed Root & Client Certificate using PowerShell

In the realm of cybersecurity, ensuring secure communication between clients and servers is paramount. One effective way to achieve this is through the use of certificates. While obtaining certificates from a trusted Certificate Authority (CA) is common practice, there are scenarios where creating self-signed certificates is both practical and necessary.

In this article, we will explore how to create self-signed root and client certificates using PowerShell. This powerful scripting language not only simplifies the process but also provides a flexible and efficient way to manage certificates. Whether you’re a seasoned IT professional or just starting out, this guide will equip you with the knowledge to enhance your security infrastructure with self-signed certificates.

How it works :

• Root certificate can be installed on different plateforms depending on your needs (Azure, AWS, Fortinet, VPN...etc).
• Client certificate will be installed on clients machines that will attempt to access this plateforms. for security reasons, Client certificate is not exportable.

Before Starting technical guide :

• Remember, while self-signed certificates are useful for internal purposes and testing, always consider using certificates from a trusted Certificate Authority for production environments to ensure maximum security and trustworthiness.
• Save Root Certificate , Client Certificate and password in secure place (Password Manager, Protected Flash drive ... etc)

1 - Create Root Certificate :

This script will create a root certificate and install it under the current user's certificate store.

The root certificate can be exported later to another plateform (Azure, AWS, Fortinet firewall...etc).

# Specify Certificate Name :
$CertificateName = "Test-RootCert"

# Create Root Certificate :
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=$($CertificateName)" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign        

2 - Create client certificate from Root Certificate :

The Client certificate

Open PowerShell as administrator and run the following command , this code retrieves the fingerprint of the RootCertificate "Test-RootCert" that we named in the first script, as you can see:

# Get Thumbprint of Root Certificate
Get-ChildItem -Path "Cert:\CurrentUser\My"        

Now we're going to use this fingerprint to generate the client certificate. To do this, copy and paste the certificate into a Notepad, modify the name of your certificate to suit your needs, and change the certificate's validity period.

in this tutorial, I've chosen a period of 5 years

# Create Client Certificate From Root Certificate
New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=Test-ClientCert" -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(5) `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")        

Here's the result of running this script:

We now have the certificates in place, but we need to export the RootCertificate to download it into Azure, and export the client certificate to install it afterwards on the client machines that will connect to this machine.

3 - Export Root certificate public key (.cer):

As we said before, we need to export the RootCertificate to upload it to Azure or AWS or Fortinet ...etc.

To begin, press Windows key + "R" to open the Run dialog box and type "certmgr.msc". When the management console opens, you should see your newly created certificate in "Current User\Personal\Certificates". Right-click on the newly created certificate and select "All Tasks > Export".

Select "do not export private key".

Choose the "x.509 base 64 encoded (*.cer)" option

Choose a location to save your certificate :

Click on "Finish"

4 - Export client certificate :

Right-click on the client certificate -> All Tasks -> Export.

Click on "Next

Select "Yes export private key".

Choose the "Exchange personal information..." option

• Include all certificates in path
• Enable certificate confidentiality.

Add a certificate protection password, then choose an encryption method (AES or TripleDES)

Password must be saved securely to be used later with certificate installation on other computers.

Add a customer certificate registration location :

Click on "Finish".

Conclusion :

In conclusion, creating self-signed root and client certificates using PowerShell is a valuable skill for any IT professional. It not only enhances your understanding of certificate management but also provides a practical solution for secure communications in various scenarios. By following the steps outlined in this guide, you can confidently generate and manage your own certificates, ensuring a robust security framework for your applications and services.

Remember, while self-signed certificates are useful for internal purposes and testing, always consider using certificates from a trusted Certificate Authority for production environments to ensure maximum security and trustworthiness.

Thank you for reading, and I hope this guide has been helpful in your journey to mastering certificate creation with PowerShell.

Thanks

Aymen EL JAZIRI

System Administrator