Generating a self-signed certificate PFX file with Powershell

Sometimes you need a self-signed SSL certificate for an internal project, but perhaps you’re restricted from using a 3rd party tool such as OpenSSL. Maybe this is for security reasons, a lack of external internet connectivity, or maybe you’re just working on something small and you need a quick solution. Well, Microsoft has you covered, as the ability to self-sign a certificate in Windows is quite simple.

Open a Powershell Command Line as an Administrator, then enter the following command (changing “computerhostname” to the hostname of the server the file will reside on, using the FQDN (ex. computername.local) if you can):
New-SelfSignedCertificate -DnsName “computerhostname” -CertStoreLocation “cert:\LocalMachine\My”

Then, Windows Key+R to open the run menu, type certlm.msc and press enter or click OK. This will open the Certificate Manager for the Local Machine.

To export the public and private certificate and key as a Private Information Exchange or PFX file (a Personal Information Exchange public/private key combo file) follow these steps:

  1. On the left side of Certificate Manager, expand “Personal” then click Certificates.
  2. Right click the certificate you just created, then click All Tasks, then Export.
  3. Next > YES > Next > leave the defaults (Personal Information Exchange, with “Include…” and “Enabled…” checked) > Next > Password (enter your desired password, which you will need later to use the PFX file), change the Encryption to AES256-SHA256 > Next > Browse and give the PFX file a destination and a name (demo.pfx) > Next > Finish > OK.

How to create PEM and PFX Certificates and Keys with OpenSSL

OpenSSL has become THE standard for generating certificates for casual needs. Here’s how quickly you can create your own self-signed certificate and and a cert/key. Whether you need a .PEM, .CER, .Key, or .PFX, this article has you covered.

  1. Open an elevated command prompt as Administrator.
  2. Browse to C:\Program Files’OpenSSL-Win64\bin or C:\Program Files (x86)\OpenSSL-Win32\bin (or wherever you installed OpenSSL).
  3. openssl genrsa -aes256 -out demo.key 4096
  4. openssl rsa -in demo.key -out demo.key
  5. openssl req -new -x509 -nodes -sha512 -key demo.key -out demo.crt -days 3650

In step 3, you can use 2048 bits on slower machines, or 4096 bits for higher security. These days most anything can handle higher bit encryption, so I just stick with 4096. In the screenshot you’ll see I used SHA1 in step 5, but you can use SHA512 for additional security as it is fully supported nearly anywhere you’re going to use these certificates in 2024 and beyond.

In Step 5, you can replace “.key” and “.crt” with “.pem” if you prefer, the file will still be compatible.

Also in step 5, you can specify a number of days – since this certificate is self-signed it can be anything you want. 365 for one year, 3650 for 10 years, or even 36500 for a 100 year certificate!

After you press enter, it will ask a series of questions that should be simple to answer. When it asks for server name or FQDN, it’s best to enter the local machine name you’ll be using the certificate on (ex. computername.local).

The result will be a pair of files in the “bin” folder from step 2! You should be able to upload these and use them wherever you need them!

But what about PFX files?

If you also need a PFX file (a Personal Information Exchange public/private key combo file which can be more easily shared) you can generate one with one, simple additional command:
Step 6: openssl pkcs12 -export -out demo.pfx -inkey demo.key -in demo.crt

This will prompt you for a password that you will need to remember in order to use the PFX file in its final place.