Scripts (PowerShell)

How to create a self-signed certificate and export in PFX format via PowerShell [Part 1]

A self-signed certificate is a certificate that is signed by the person or organization creating it rather than a trusted certificate authority. When using a self-signed certificate, there is no chain of trust. The certificate has signed itself. The web browser will then issue a warning, telling you that the website certificate cannot be verified. See the following interesting guides on how to import a certificate into the Trusted Root and Personal file certificate store, how to request a certificate signing request in Windows using Microsoft Management Console, and how to export a certificate in PFX format in Windows.

Generally, a self-signed certificate is no longer recommended in an enterprise environment. But very vital in a test scenario where a certificate is a requirement for testing. This saves time and resources by buying a certificate or deploying your own Public Key Infrastructure (PKI) environment. Wish to see a different method on how to accomplish this task, kindly see "how to generate a self-signed certificate and export in PFX format via PowerShell [Part 2]".

Note: This can be generated using MMC and IIS (Internet Information Services). I will be demonstrating these steps in a later post.

Steps: Ensure to run PowerShell with Administrators privileges
1. Run the following command below. The New-SelfSignedCertificate cmdlet as shown below to add a certificate to the local store on your PC, replacing the fully qualified domain name (FQDN).

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname techdirect.local

2. In this step, we will export the self-signed certificate. We will need to create a password as shown below to accomplish this step

$pwd = ConvertTo-SecureString -String ‘passw0rd!’ -Force -AsPlainText

3. We will have to export the self-signed certificate using the Export-PfxCertificate cmdlet as shown below. The password ($pwd) created will be used to create an additional string ($path), which specifies the path to the certificate created with the New-SelfSignedCertificate cmdlet.

$path = 'cert:\localMachine\my\' + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\cert.pfx -Password $pwd

Note: That the c:\temp directory, or whatever directory you specify in the -FilePath parameter, must already exist. You can now import the cert.pfx file to install the certificate.

Note: The few lines of codes can be combined together as shown below to create and store a self-signed certificate in the Windows Certificate Store. The last line (Export-Pfx Certificate) will export the certificate. Reference link:

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname techdirect.local
$pwd = ConvertTo-SecureString -String ‘passw0rd!’ -Force -AsPlainText
$path = 'cert:\localMachine\my\' + $cert.thumbprint 
Export-PfxCertificate -cert $path -FilePath c:\cert.pfx -Password $pwd

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
2 years ago

hi I am getting this error in power shell, I dont understand how do you open it in administrator account. I am doing this from my personal laptop

PS C:\Users\Hareem> $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname techdirect.local
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808
At line:1 char:9
+ $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachi …
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo     : NotSpecified: (:) [New-SelfSignedCertificate], Exception
  + FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand

Would love your thoughts, please comment.x