Skip to main content
Waters Employee Login
 
Waters

How to create a self-signed certificate that is valid for more than one year - WKB200306

  1. Last updated
  2. Save as PDF
Article number: 200306

OBJECTIVE or GOAL

Create a self-signed certificate that is valid for more than one year. Though such certificates are less than ideal for production systems, in some cases a self-signed certificate is the best option for a deployment, at least until the customer can obtain a certificate for the server from either an in-house CA or a third-party CA. Self-signed certificates are normally valid for one year, but with this process, they can be generated with a validity period of any length of time.

ENVIRONMENT

  • Windows Server 2012, 2016, 2019

PROCEDURE

With PowerShell v4.0 or later:

  1. Open a PS Console with Admin rights.
  2. Run the following command in the console. It will generate a new self-signed certificate using the machine's fully qualified domain name as the Issued To, Issue By, and Subject Alternative Name; valid for three years beyond the present date; using a key length of 2048 bits; and a "friendly name" as the machine's FQDN. It will be stored in the "LocalMachine\Personal" certificate store, and it will be automatically visible in IIS Manager \ Server Certificates:
  • New-SelfSignedCertificate -FriendlyName ([System.Net.Dns]::GetHostEntry("").HostName) -DnsName ([System.Net.Dns]::GetHostEntry("").HostName) -KeyUsage DigitalSignature,keyEncipherment -KeyLength 2048 -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(3) -CertStoreLocation Cert:\LocalMachine\My

ADDITIONAL INFORMATION

This tool can also create a certificate that is issued to a hostname, rather than a fully qualified domain name, for the rare cases in which the server needs to be accessible via HTTPS and the hostname.

Use of the PowerShell New-SelfSignedCertificate cmdlet is preferred over other methods because it allows for far greater control of the certificate's properties than the other known methods. In particular, some Web browsers reject self-signed certificates if the Key Usage property on the certificate from the Web server does not include "DigitalSignature". The cmdlet allows for precise control over each property of the generated certificate.

id200306,

Not able to find a solution? Click here to request help.