How to generate a self-signed certificate and export in PFX format via PowerShell [Part 2]


A self-signed certificate is one that is not signed by a Certificate Authority (CA) at all – neither private nor public. In this case, the certificate is signed with its own private key, instead of requesting it from a public or a private CA. Self-signed certificates offer some advantages when used in internal networks and software development phases, however, they can also create several risks without proper visibility and control. How to generate your trial SSL Certificate using DigiCert PKI platform, how to import SSL Certificate to Windows Server using DigiCert Utility, how to request a certificate signing request in Windows using Microsoft Management Console, What are the components needed to create a certificate signing request, and how to install Windows Admin Center (WAC) in an unattended mode using a self-signed certificate, and how to enable LDAP over SSL with a self-signed certificate. Below is a diagram highlighting the advantages and disadvantages of a self-signed certificate.

Self-signed certificates
src: kfactor

The SSL/TLS protocol allows for the encryption of data communications over open networks, thereby safeguarding against tampering and interception by malicious actors. In addition to the use of SSL certificates authenticating communicating parties, it also creates a trusted environment. To establish the required level of trust and eliminate the use of rogue certificates impersonating legitimate companies, SSL certificates need to be signed and validated by a trusted Certificate Authority (CA). Wishing to install your own CA, click on this hyperlink “How to install and configure Active Directory Certificate Services“. Here is a guide on how to create a self-signed certificate and export certificate in PFX format via PowerShell [Part 1].

Self-signed certificates are not trusted by default and they can be difficult to maintain. Also, they may use outdated hash and cipher suites that may not be strong. For better security, purchase a certificate signed by a well-known certificate authority.

Creates a self-signed certificate

The New-SelfSignedCertificate cmdlet creates a self-signed certificate for testing purposes. Run the following command below. The New-SelfSignedCertificate cmdlet as shown below adds a certificate to the local store on your PC, replacing the full DNS name with yours. Want to learn more about these commands, kindly visit the Microsoft documentation.

new-selfsignedcertificate -certstorelocation cert:localmachinemy -dnsname "Techdarchivedc"

In this step, we will export the self-signed certificate. We will need to create a password as shown below to accomplish this step. Here I am using a very weak password just for testing purposes.

pwd = ConvertTo-SecureString -String "Password12345" -Force -AsPlainText

As you can see below, the certificate has been created as shown below. Now we will have to export this certificate in PFX format. See this guide for other methods to export a certificate in PFX format in Windows.
– Double click on the newly created certificate or right-click on the newly created certificate and select Properties


As you can see on the General tab, we have the validity and issue by and to.


Navigate to the Details tab and click on copy to file as shown below.


This will open the Certificate Export Wizard. Click on Next to continue.


Select Yes, to import the private Key, and click on Next


Now the .pfx option is enabled and disables Enable certificate privacy


Enter your desired password and select the right Encryption algorithm


Enter your desired password and select the right Encryption algorithm


Enter the file name and click on save.


Under the file type name enter the name you wish to save the certificate and click on next


If the import is successful, you will be prompted with the Certificate Export Wizard Success Window.


Now, you can import this to the certificate “Trusted root certification Authority” Alternative means of using the Command Line Tool. See the following link for the steps.


Do you wish to make a shift from self-signed certificates to certificates as-a-service? Then request a demon from Keyfactor. By this, you will be able to obtain certificates using automated processes and APIs integrated directly with cloud-native tools like Jenkins, Ansible, Kubernetes, HashiCorp Vault, Istio, and others.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x