Bye Bye Makecert.exe

One of the goodness of PowerShell 5.0 on Windows 10 is that you can totally get rid of our brave old makecert.exe to create certificates. No more pain trying to remember where to download makecert.exe. You’ve now built in Windows 10 the New-SelfSignedCertificate cmdlet.

You can actually see the great improvements brought to the New-SelfSignedCertificate cmdlet if you compare its documentation for Windows 8.1 and its documenation page for Windows 10. Isn’t that awesome?

I’ll share 2 basic examples that will only scratch the surface of the extended capabilities of this cmdlet.

Here is an example to create a self-signed certificate used for code signing:

$HT = @{
 Subject = '';
 KeyLength = 2048;
 HashAlgorithm = 'SHA256';
 KeyUsage = 'DigitalSignature';
 KeyExportPolicy = 'Exportable';
 KeySpec = 'Signature';
 NotAfter = (Get-Date).AddYears(1) ;
 TextExtension = '{text}'
New-SelfSignedCertificate @HT

I’ve used the above code to create a certificate to sign PPKG files in a Windows 10 lab.

Here is a second example to create a self-signed certificate used for document/message encryption:

$HT = @{
 Subject = 'CN=me@contoso';
 KeyLength = 2048; 
 KeySpec = 'KeyExchange';
 HashAlgorithm = 'SHA1';
 KeyExportPolicy = 'Exportable';
 KeyUsage = 'KeyEncipherment','DataEncipherment' ;
 NotAfter = (Get-Date).AddYears(1);
 TextExtension = '{text}';
New-SelfSignedCertificate @HT

Now, you can start playing with the other goodness: the Protect-CmsMessage cmdlet

Here are a few links I bookmarked to get started on this topic:


One thought on “Bye Bye Makecert.exe

  1. Yeah, so while I truly wish this was accurate, it turns out you can’t throw out makecert.exe just yet. Some applications (ADFS, for example) do not accept the certificates that are created with New-SelfSignedCertificate, which is a real drag.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s