PowerShell – script to generate a self-signed Certificate – exploring New-SelfSignedCertificate CMDLET
Exploring - New-SelfSignedCertificate
Hi All,
Greetings !
Today new PowerShell script – one more script in our bucket
Background
- We are continuing series on Microsoft Graph PowerShell
- To execute Microsoft Graph PowerShell – we need to connect first to Microsoft Graph
- There are various options available to connect Microsoft Graph using Connect-MgGraph CMDLET
- One of the approach we are exploring is – connect Microsoft Graph using App ID (client id) and X.509 Certificate (self signed certificate)
Connect-MgGraph -ClientId "YOUR_APP_ID" -TenantId "YOUR_TENANT_ID" -CertificateThumbprint "YOUR_CERT_THUMBPRINT"OR
Connect-MgGraph -ClientId "YOUR_APP_ID" -TenantId "YOUR_TENANT_ID" -CertificateName "YOUR_CERT_SUBJECT"OR
$Cert = Get-ChildItem Cert:\currentuser\$CertThumbprint
Connect-MgGraph -ClientId "YOUR_APP_ID" -TenantId "YOUR_TENANT_ID" -Certificate $Cert- So to use we need certificate uploaded to our App
In this article I’ll be discussing – How to create self-signed (X.509) Certificate using PowerShell script
Steps to create a self-signed Certificate using PowerShell
- We will use the New-SelfSignedCertificate cmdlet to create a self-signed certificate
Example 1 – with simple one DNS name and certificate store location
$params = @{
DnsName = 'knowledgejunction1.sharepoint.com'
CertStoreLocation = 'Cert:\currentuser\My'
}
New-SelfSignedCertificate @params
Output:
PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
D503552E2636588DC6AF951454ADF9C823CAC77E CN=knowledgejunction1.sharepoint.com 
- We have created this certificate in current user certificate store
- We could verify our certificate from current user certificate store
- Open certificate MMC console – run “certmgr.msc“
Example 2 – create the copy of certificate using CloneCert parameter
$OldCert = (Get-ChildItem -Path D503552E2636588DC6AF951454ADF9C823CAC77E)
$OldCert
New-SelfSignedCertificate -CloneCert $OldCert
Output:
PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
D503552E2636588DC6AF951454ADF9C823CAC77E CN=knowledgejunction1.sharepoint.com
74C4E6E98FC9F7E2CE4B4EB365199EFA9F296456 CN=knowledgejunction1.sharepoint.com
- Here, we are fetching old certificate using Get-ChildItem with parameter –Path and value as Thumbprint of old certificate
Example 3 – create the certificate which expires in 6 month – NoAfter parameter
#Example 3 - create the copy of certificate using CloneCert parameter and expires in 6 months
$OldCert = (Get-ChildItem -Path D503552E2636588DC6AF951454ADF9C823CAC77E)
$OldCert
New-SelfSignedCertificate -CloneCert $OldCert -NotAfter (Get-Date).AddMonths(6)
Output:
PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
D503552E2636588DC6AF951454ADF9C823CAC77E CN=knowledgejunction1.sharepoint.com
F97EF453D78E31BA3C6151BD066D92B7FCBD377B CN=knowledgejunction1.sharepoint.com We could check the expiry date by using Get-ChildItem as
Get-ChildItem -Path B6C506766A3F3606AAD9E33EDE041C3A62797411 | fl
Output:
Subject : CN=knowledgejunction1.sharepoint.com
Issuer : CN=knowledgejunction1.sharepoint.com
Thumbprint : B6C506766A3F3606AAD9E33EDE041C3A62797411
FriendlyName :
NotBefore : 1/20/2024 5:03:18 PM
NotAfter : 7/20/2024 5:13:18 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
Example 4 – create the certificate exploring Subject and Type parameter
#Example 4 - create the certificate exploring Subject and Type parameter
$params = @{
Subject = 'knowledgejunction1.sharepoint.com'
CertStoreLocation = 'Cert:\currentuser\My'
Type='Custom'
}
New-SelfSignedCertificate @params
Output:
PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
02FA24832817EB1361AB35985A00257B209752BF CN=knowledgejunction1.sharepoint.com 
Exploring few parameters
- CertStoreLocation –
- Specifies the certificate store where new certificate will be stored
- Possible values are
Cert:\LocalMachine\My– current machine certificate storeCert:\CurrentUser\My– current user certificate store
- DnsName –
- Specifies one or more DNS names.
- First DNS name specified as – subject name
- Second DNS name specified as – Issuer name
- If only one DNS name is specified then it also saved as Issuer name – as we executed the CMDLET . Please check above snap
- CloneCert –
- This parameter is used to copy the existing certificate
- NoAfter –
- Specifies Date and Time as DateTime object – when the certificate expires
- We could use Get-Date CMDLET as we used in our code snippet
- Default value for this parameter is one year
Few Points
- By default certificate expires in one year once created
- By default certificate of type – “SSLServerAuthentication” is created
- Possible values for certificate type
- Custom
- CodeSigningCert
- DocumentEncryptionCert
- SSLServerAuthentication
- DocumentEncryptionCertLegacyCsp
REFERENCES
- New-SelfSignedCertificate – https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps
Thanks for reading ! Stay tuned for more articles on Microsoft Graph PowerShell and PowerShell !
HAPPY LEARNING AHEAD 🙂 LIFE IS BEAUTIFUL 🙂
1 Response
[…] Add certificate or client secrete to App ID. Here in this article we will use to create/generate certificate – PowerShell – script to generate a self-signed Certificate – exploring New-SelfSignedCertificate CMDLET – https://microsoft365hub.in/2024/01/20/powershell-script-to-generate-a-self-signed-certificate-explor… […]