Create Self Signed Certificate with PowerShell on Windows Server 2012 R2.

A little bit outdated. I know.

But customers not always have the latest server versions running.

Today a customer asked me how to create a self signed SSL certificate with “subject alternate names” (SAN) using PowerShell on Windows Server 2012 R2.

The default cmdlet “New-SelfSignedCertificate” has not all features on this server OS.

The customer found a script but it did not offer SAN. I found another one (in german language) that gave me the other information…


I assembled both scripts. Here is the result.

# script assembled from these sources
#  -
#  -
# …by Ingo Karstein ( ik a.t.
# Useful e.g. on Windows Server 2012R2 because there are less functionality in cmdlet New-SelfSignedCertificate.
# The SSL cert ist written to certstore "My" of "LocalMachine"

 $name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
 $name.Encode("CN=srv", 0)

 $key = new-object -com "X509Enrollment.CX509PrivateKey.1"
 $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 $key.KeySpec = 1
 $key.Length = 4096
 $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
 $key.MachineContext = 1

 $serverauthoid = new-object -com "X509Enrollment.CObjectId.1"

 $AlternativeNames=@("srv", "localhost")
 $AlternativeIPs=@("", "::1")

 $SAN = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames
 $IANs = New-Object -ComObject X509Enrollment.CAlternativeNames

 foreach ($SANstr in $AlternativeNames)
     $IAN = New-Object -ComObject X509Enrollment.CAlternativeName

 foreach ($SANstr in $AlternativeIPs)
     $IAN = New-Object -ComObject X509Enrollment.CAlternativeName
     $IAI = New-Object -ComObject X509Enrollment.CAlternativeName    
     $IAI.InitializeFromRawData(8, 0x1, 
       ([System.Net.IpAddress] $SANstr).GetAddressBytes())) $IANs.Add($IAI)


 $ekuoids = new-object -com "X509Enrollment.CObjectIds.1"

 $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"

 $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
 $cert.InitializeFromPrivateKey(2, $key, "")
 $cert.Subject = $name
 $cert.Issuer = $cert.Subject
 $cert.NotBefore = (get-date).AddDays(-1)
 $cert.NotAfter = $cert.NotBefore.Addyears(50)

 $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"

 $certdata = $enrollment.CreateRequest(0)

 $enrollment.InstallResponse(2, $certdata, 0, "")

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.