{"id":15192226,"url":"https://github.com/powershell/selfsignedcertificate","last_synced_at":"2025-10-02T06:32:45.990Z","repository":{"id":65985535,"uuid":"150489203","full_name":"PowerShell/SelfSignedCertificate","owner":"PowerShell","description":"A module for generating self-signed certificates in PowerShell Core","archived":true,"fork":false,"pushed_at":"2020-09-16T22:11:06.000Z","size":25,"stargazers_count":28,"open_issues_count":3,"forks_count":9,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-01-21T12:35:57.046Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PowerShell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-09-26T20:56:27.000Z","updated_at":"2024-09-17T18:06:06.000Z","dependencies_parsed_at":"2023-02-19T19:00:44.186Z","dependency_job_id":null,"html_url":"https://github.com/PowerShell/SelfSignedCertificate","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/PowerShell/SelfSignedCertificate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShell%2FSelfSignedCertificate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShell%2FSelfSignedCertificate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShell%2FSelfSignedCertificate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShell%2FSelfSignedCertificate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PowerShell","download_url":"https://codeload.github.com/PowerShell/SelfSignedCertificate/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PowerShell%2FSelfSignedCertificate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":277968828,"owners_count":25907418,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-02T02:00:08.890Z","response_time":67,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-27T21:20:17.356Z","updated_at":"2025-10-02T06:32:45.759Z","avatar_url":"https://github.com/PowerShell.png","language":"PowerShell","readme":"SelfSignedCertificate\r\n===\r\n\r\nTable of Contents:\r\n\r\n- [Overview](#overview)\r\n- [Example Usage](#example-usage)\r\n- [Suggested Improvements](#suggested-improvements)\r\n- [License](#license)\r\n\r\n### Disclaimer\r\n\r\nThis module is not officially supported.\r\nIt has been created as a convenience module\r\nfor the generation of self-signed certificates\r\nto simplify the testing of HTTPS functionality.\r\n\r\nThis module should not be used in any production scenarios;\r\nit is designed to create self-signed certificates for testing\r\npurposes only.\r\n\r\nOverview\r\n---\r\n\r\nThis module is designed to be a convenient, cross-platform way\r\nto generate self-signed certificates in both PowerShell Core and Windows PowerShell 5.1.\r\n\r\nSince .NET Core already embeds its own cross-platform cryptography/certificate API,\r\nthis module is a native PowerShell script module, with no binary dependencies.\r\n\r\nSome goals for this module include:\r\n\r\n- Low or no dependency footprint\r\n- User-friendly certificate input:\r\n  - No fiddling with distinguished name formats\r\n  - No arcane `X509HighlySpecificCryptoObject` assigning and manipulation\r\n  - No raw binary/ASN.1/DER manipulation\r\n- Relatively improved configurability:\r\n  - Support multiple certificate formats\r\n  - Support different certificate configurations, validity periods and extensions\r\n- Simple cross-platform functionality:\r\n  - We should be able to generate a certificate that works\r\n    on Windows, Linux and macOS\r\n  - Default settings should \"just work\" on respective platforms\r\n  - Favor simplicity when possible, but not as a hard requirement\r\n\r\n### Alternative tools\r\n\r\nYou may want to take a look at a few other alternatives for self-signed certificate generation,\r\nlisted here:\r\n\r\n- Windows PowerShell's [`New-SelfSignedCertificate` cmdlet](https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps)\r\n  from the PkiClient module.\r\n  \r\n  It can be used from PowerShell Core on Windows using the [WindowsCompatibility module](https://github.com/PowerShell/WindowsCompatibility)\r\n  like this:\r\n  \r\n  ```powershell\r\n  Install-Module WindowsCompatibility\r\n  Import-WinModule PKI\r\n  New-SelfSignedCertificate # args as needed\r\n  ```\r\n  \r\n  However, this module is only available on Windows \u0026mdash; there is no Linux version.\r\n  \r\n- The [`dotnet dotnet-dev-certs` global tool](https://www.nuget.org/packages/dotnet-dev-certs),\r\n  designed for generating self-signed certificates for ASP.NET Core development.\r\n  \r\n  This can be installed from the dotnet CLI.\r\n  \r\n- [`openssl`](https://www.openssl.org/), which does work cross-platform,\r\n  but may not be favorable compared to a PowerShell-native option\r\n  and uses a PEM rather than PFX format.\r\n\r\nExample Usage\r\n---\r\n\r\n### Basic Usage\r\n\r\nTo create a simple certificate the following will work:\r\n\r\n```powershell\r\n\u003e New-SelfSignedCertificate\r\nCertificate written to C:\\Users\\roholt\\Documents\\Dev\\sandbox\\certificate.pfx\r\n\r\nThumbprint                                Subject              EnhancedKeyUsageList\r\n----------                                -------              --------------------\r\nA51B016324B5D2F11340CDCC52004B8129C88D3B  CN=localhost\r\n\r\n```\r\n\r\nThis will create a new certificate called `certificate.pfx` in your CWD\r\nfor `localhost`.\r\nThe command itself returns an `X509Certificate2` object\r\ndescribing the certificate written to disk.\r\nYou can inspect this object to find its properties.\r\nThis certificate will have no key usages, no basic constraints,\r\nno enhanced key usages and a Subject Idenitifer Key extension.\r\n\r\n**Note**: To repeat this command, you will need the `-Force` parameter\r\nin order to overwrite the old certificate you generated before.\r\n\r\n### More Advanced Usage\r\n\r\nThe `New-SelfSignedCertificate` command allows the specification of\r\nfull distinguished names as well as a few other options:\r\n\r\n```powershell\r\n\u003e $password = ConvertTo-SecureString -Force -AsPlainText 'your password'\r\n\u003e $distinguishedName = @{\r\n    CommonName = 'example.org'\r\n    Country = 'US'\r\n    StateOrProvince = 'Nebraska'\r\n    Locality = 'Omaha'\r\n    Organization = 'Umbrella Corporation'\r\n    OrganizationalUnit = 'Sales'\r\n    EmailAddress = 'donotreply@umbrellacorp.com'\r\n}\r\n\u003e $certificateParameters = $distinguishedName + @{\r\n    OutCertPath = 'C:\\Users\\you\\Documents\\cert.pfx'\r\n    StartDate = [System.DateTimeOffset]::Now\r\n    Duration = [timespan]::FromDays(365)\r\n    Passphrase = $password\r\n    CertificateFormat = 'Pfx' # Values from [System.Security.Cryptography.X509Certificates.X509ContentType]\r\n    KeyLength = 4096\r\n    ForCertificateAuthority = $true\r\n    KeyUsage = 'DigitalSignature','KeyEncipherment' # Values from [System.Security.Cryptography.X509Certificates.X509KeyUsageFlags]\r\n    EnhancedKeyUsage = 'ServerAuthentication','ClientAuthentication'\r\n}\r\n\u003e New-SelfSignedCertificate @certificateParameters -Force\r\nWARNING: Parameter 'EmailAddress' is obsolete. The email name component is deprecated by the PKIX standard\r\nCertificate written to C:\\Users\\roholt\\Documents\\Dev\\sandbox\\here.pfx\r\n\r\nThumbprint                                Subject              EnhancedKeyUsageList\r\n----------                                -------              --------------------\r\n7445433CB2BB4948E12794A167C6725DC214AA84  CN=example.org, O... {Server Authentication, Client Authentication}\r\n```\r\n\r\nThe certificate produced by the above command will have the following properties:\r\n\r\n- The issuer and subject distinguished name set to:\r\n\r\n  ```text\r\n  CN=example.org, OU=Sales, O=Umbrella Corporation, L=Omaha, S=Nebraska, C=US, E=donotreply@umbrellacorp.com\r\n  ```\r\n\r\n- Password protection (in this case with the password `'Your password'`).\r\n- A one-year validity period starting from the creation time (with the milliseconds truncated).\r\n- A 4096-bit RSA key.\r\n- A basic constraints extension with `CertificateAuthority` set to `true`.\r\n- The `Digital Signature` and `Key Encipherment` basic key usages indicated.\r\n- The `Server Authentication` and `Client Authentication` enhanced key usages indicated.\r\n\r\nThe command also offers the `-AdditionalExtension` parameter,\r\nwhich takes an array of `System.Security.Cryptography.X509Certificates.X509Extension`\r\nto add to any generate certificate.\r\n\r\nSuggested Improvments\r\n---\r\n\r\n### Support for other certificate formats\r\n\r\nThe module does not yet support PEM files,\r\nwhich are heavily used in the Linux world.\r\nWhile not a certificate format per-se,\r\nthey are a common encoding of certificates\r\nand we should endeavour to support them in some way.\r\n\r\nPresently, the author is not aware of PEM support\r\nnative to PowerShell Core or .NET Core.\r\n\r\n### Ability to specify criticality on certificate extensions\r\n\r\nThe certificate extensions generated by this module\r\ncurrently all set the `Critical` field to `false` to allow greater flexibility.\r\n\r\nHowever it might be desirable to configure\r\nany or all of these to be designated as `Critical`.\r\nIdeally this could be done without cluttering up the commands already\r\nlarge number of parameters.\r\n\r\n### Better support for other enhanced key usages\r\n\r\nCurrently on the `ServerAuthentication` and `ClientAuthentication` enhanced\r\nkey usages are supported (in constraining way, for ease of use).\r\n\r\nIdeally more options for this could be made available.\r\n\r\n### Better, more-modular support for common certificate extensions\r\n\r\nThe module could provide a set of classes that generate `X509Extension`s\r\ndescribing commonly used certificate extensions.\r\n\r\nLicense\r\n---\r\n\r\nThis module is MIT licensed. See the [LICENSE.txt](./LICENSE.txt).\r\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpowershell%2Fselfsignedcertificate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpowershell%2Fselfsignedcertificate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpowershell%2Fselfsignedcertificate/lists"}