Generate self-signed certificate and export in PFX format via PowerShell [Part 2]

self-signed certificate

A self-signed certificate is one that is not signed by a Certificate Authority (CA) at all – neither private nor public. In this case, the certificate is signed with its own private key, instead of requesting it from a public or a private CA. Self-signed certificates offer some advantages when used in internal networks and software development phases, however, they can also create several risks without proper visibility and control. Please see How to enable LDAP over SSL with a third-party Certificate such as DigiCert.

Here are some exciting articles: How to generate your trial SSL Certificate using DigiCert PKI platform, how to import SSL Certificate to Windows Server using DigiCert Utility, how to request a certificate signing request in Windows using Microsoft Management Console. Below is a diagram highlighting the advantages and disadvantages of a self-signed certificate.

src: kfactor

Nonetheless, The SSL/TLS protocol allows for the encryption of data communications over open networks, safeguarding against tampering and interception by malicious actors. Moreover, In addition to using SSL certificates to authenticate communicating parties, it also creates a trusted environment.

Trusted Certificate Authorities (CAs) sign and validate SSL certificates, ensuring trust and preventing rogue impersonation. Furthermore, To install your own CA, click on this hyperlink “How to install and configure Active Directory Certificate Services“. Here is a guide on how to create a self-signed certificate and export certificate in PFX format via PowerShell [Part 1].

Self-signed certificates are not trusted by default and they can be difficult to maintain. Also, they may use outdated hash and cipher suites that may not be strong. For better security, purchase a certificate signed by a well-known certificate authority.

Creates a self-signed certificate

The New-SelfSignedCertificate cmdlet creates a self-signed certificate for testing purposes. Run the following command below.

However, The New-SelfSignedCertificate cmdlet, as shown below, adds a certificate to the local store on your PC, replacing the full DNS name with yours. Want to learn more about these commands, kindly visit the Microsoft documentation.

new-selfsignedcertificate -certstorelocation cert:localmachinemy -dnsname "Techdarchivedc"
PFX format

In this guide on How to generate a self-signed certificate, we’ll proceed by exporting the certificate. As shown below, we will need to create a password to accomplish this step. However, I am using a very weak password just for testing purposes.

pwd = ConvertTo-SecureString -String "Password12345" -Force -AsPlainText

As you can see below, the certificate has been created as shown below. Now we will have to export this certificate in PFX format. Nonetheless, See this guide for other methods to export a certificate in PFX format in Windows.

Double-click on the newly created certificate or right-click on the newly created certificate and select Properties

self-signed certificate

You may be interested in these: What are the components needed to create a certificate signing request, and how to install Windows Admin Center (WAC) in an unattended mode using a self-signed certificate, and how to enable LDAP over SSL with a self-signed certificate.

Certificate Details and Validity

On the General tab, you’ll find details like validity and issuance. Understanding these is vital when learning how to generate a self-signed certificate.


Navigate to the Details tab and click on copy to file as shown below.

PFX format

This will open the Certificate Export Wizard. Click on Next to continue.


When prompted, opt to import the private key while following the instructions on How to generate a self-signed certificate. Proceed by clicking on the “Next” button.


Now the .pfx option is enabled and disables Enable certificate privacy


Input your desired password and select the right Encryption algorithm


Enter your desired password and select the right Encryption algorithm


Enter the file name and click on save.


Under the file type name enter the name you wish to save the certificate and click on next


If the import is successful, you will be prompted with the Certificate Export Wizard Success Window.


Learn how to generate a self-signed certificate and then import it using an alternative Command Line Tool into the “Trusted Root Certification Authority.” See the following link for the steps.


Do you wish to make a shift from self-signed certificates to certificates as-a-service? Then request a demon from Keyfactor. By this, you will be able to obtain certificates using automated processes and APIs integrated directly with cloud-native tools like Jenkins, Ansible, Kubernetes, HashiCorp Vault, Istio, and others.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x