Creating a local SSL certificate hierarchy with Windows PowerShell

Often times when playing with new technologies you are required to utilize SSL certificates and not everyone has access to and enterprise Certificate Authority. Here is how you can create one with Windows PowerShell on Windows 10.

Create a simple hierarchy of certificates.

  • Local Root Certificate Authority (CA)
    • This will be used to sign the Server and Client certificate.
  • Server Certificate
    • This will be used to bind the HTTPS service to the specified port.
  • Client Certificate
    • This will be used when you access the SSL service.

Keep in mind that the purpose of these certificates is to verify that the client and server certificates have been signed by the same Certificate Authority.

Create the Root Certificate Authority

To get started here is a command to create the CA:


$rootCAparams = @{
  DnsName = 'PowerShellDemo.io Root Cert'
  KeyLength = 2048
  KeyAlgorithm = 'RSA'
  HashAlgorithm = 'SHA256'
  KeyExportPolicy = 'Exportable'
  NotAfter = (Get-Date).AddYears(5)
  CertStoreLocation = 'Cert:\LocalMachine\My'
  KeyUsage = 'CertSign','CRLSign' #fixes invalid certificate error
}

Create and view the Certificate

$rootCA = New-SelfSignedCertificate @rootCAparams
$rootCA

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

  Thumbprint Subject
  ---------- -------
  8576D38B872A1C3E7AA363BDC1DA0300CF2E7E88 CN=PowerShellDemo.io Root Cert

Add/Import the new RootCA to the ‘Root’ Certificate Store

$CertStore = New-Object -TypeName `
  System.Security.Cryptography.X509Certificates.X509Store(
  [System.Security.Cryptography.X509Certificates.StoreName]::Root,
  'LocalMachine')
$CertStore.open('MaxAllowed')
$CertStore.add($rootCA)
$CertStore.close()

Now you can use the newly created RootCA to sign the Server and Client Certificate.

Creating the Server certificate:


$params = @{
  DnsName = 'Server.PowerShellDemo.io'
  Signer = $rootCA # <------ Notice the Signer is the newly created RootCA
  KeyLength = 2048
  KeyAlgorithm = 'RSA'
  HashAlgorithm = 'SHA256'
  KeyExportPolicy = 'Exportable'
  NotAfter = (Get-Date).AddYears(2)
  CertStoreLocation = 'Cert:\LocalMachine\My'
}

$ServerCert = New-SelfSignedCertificate @params
$ServerCert

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

  Thumbprint Subject
  ---------- -------
  F17FD4BC4D14EF9E2CBE6A55A2D855D830FE23D0 CN=Server.PowerShellDemo.io

Creating the Client Certificate:


$params = @{
  DnsName = 'DemoClient.PowerShellDemo.io'
  FriendlyName = 'DemoClient'
  Signer = $rootCA # <------ Notice the Signer is the newly created RootCA
  KeyLength = 2048
  KeyAlgorithm = 'RSA'
  HashAlgorithm = 'SHA256'
  KeyExportPolicy = 'Exportable'
  NotAfter = (Get-Date).AddYears(2)
  CertStoreLocation = 'Cert:\LocalMachine\My'
}
$ClientCert = New-SelfSignedCertificate @params
$ClientCert

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

  Thumbprint Subject
  ---------- -------
  B2B3497FE918666C5CCB7AEE178C8134D61E8F95 CN=DemoClient.PowerShellDemo.io

Doing ‘Stuff’ with Certificates

To view the newly created certificates use ‘Get-ChildItem’ on the Certificate Store path.


Get-ChildItem -Path Cert:\LocalMachine\My\

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

  Thumbprint Subject
  ---------- -------
  F17FD4BC4D14EF9E2CBE6A55A2D855D830FE23D0 CN=Server.PowerShellDemo.io
  B2B3497FE918666C5CCB7AEE178C8134D61E8F95 CN=DemoClient.PowerShellDemo.io
  8576D38B872A1C3E7AA363BDC1DA0300CF2E7E88 CN=PowerShellDemo.io Root Cert

Also be sure to validate that the RootCA is listed in the Root Certificate store:


Get-ChildItem -Path Cert:\LocalMachine\Root\

  PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

  Thumbprint Subject
  ---------- -------
  CDD4EEAE6000AC7F40C3802C171E30148030C072 CN=Microsoft Root Certificate Auth...
  BE36A4562FB2EE05DBB3D32323ADF445084ED656 CN=Thawte Timestamping CA, OU=Thaw...
  A43489159A520F0D93D032CCAF37E7FE20A8B419 CN=Microsoft Root Authority, OU=Mi...
  92B46C76E13054E104F230517E6E504D43AB10B5 CN=Symantec Enterprise Mobile Root...
  8F43288AD272F3103B6FB1428485EA3014C0BCFE CN=Microsoft Root Certificate Auth...
  8576D38B872A1C3E7AA363BDC1DA0300CF2E7E88 CN=PowerShellDemo.io Root Cert
  7F88CD7223F3C813818C994614A89C99FA3B5247 CN=Microsoft Authenticode(tm) Root...

# This list was cropped, expect to see additional entries.

Using Certificates as PowerShell variables/objects

To set a certificate to a variable run the following command specifying which Common Name (CN) you want, and you can specify properties of the object, such as the Thumbprint:


$ServerCert = Get-ChildItem -Path Cert:\LocalMachine\My\ |
Where-Object { $_.Subject -eq 'CN=Server.PowerShellDemo.io'}

$ServerThumbprint = $ServerCert.Thumbprint

That’s it! You now have a simple Certificate Hierarchy with a RootCA, Server and Client certificate to use in a lab!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s