new-SelfsignedCertificate cmdlet

This topic contains 8 replies, has 5 voices, and was last updated by Profile photo of Malcolm Gilbert Malcolm Gilbert 1 year, 7 months ago.

  • Author
  • #13162
    Profile photo of tony ward
    tony ward


    I recently watched the MVA Powershell 3.0 Jump start with Jeffrey Snover and Jason Helmick. Brilliantly informative as was the follow up sessions on advanced PS tools. There was one section in the presentation where Jeffrey went into detail about using self-signed certificates for signing scripts. Although he brushed over the use of the cmdlet new-SelfsignedCertificate for generating his codesigning certificates. Frustratingly this was the part I wanted to understand as I have previously used makecert.exe to generate the correct type of certificates. I did some research using help and looking online but there's not much out there at the moment.
    I ended up running the following to create a certificate ...
    $cert = New-SelfSignedCertificate -DnsName localhost, $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My

    But this does not seem to generate a codesigning certificate, as when I then run..

    dir Cert:\LocalMachine\My -Recurse -CodeSigningCert

    nothing shows up.
    It does appear as without the -CodeSigningCert switch.

    How did Jeffery create codesigning certificates?


  • #13163
    Profile photo of Jason Helmick
    Jason Helmick

    Hi Tony!

    Glad the MVA was helpful. Take a look at the help file About_Signing. The entire process is listed step-by-step, and if you get stuck, I'll be happy to help. One question I wasn't clear on, do you want to use a real code signing certificate or self signed one? The About_Signing demonstrates creating a self signed one (NEw-SelfSignedCertificate) but if you need a real code signing certificate you will need to purchase and install one before the command to sign a script will work. You can also create one using ADCS.

    Take a look at that help file and let me know if you get stuck.



  • #13164
    Profile photo of tony ward
    tony ward

    Hi Jason!
    Thanks for getting back.
    I pretty much used the about signing help file originally when using makecert and my current updated help file still shows makecert.exe with reference to new-selfsignedcertificate. It doesn't tell you much about the new cmdlet though just refers to the help new-selfsignedcertificate.
    From what I can gather new-selfsignedcertificate will let me clone a certificate (I don't have one to clone) or create an ssl certificate with a default set of values. Not the type I'm after.
    Just to confirm I want to use the new-self-signed-certificate cmdlet to generate my own codesigning certificates on my local machine only. I can go back to makecert but in your presentation Jeffrey did say he created his using this cmdlet.


  • #13170
    Profile photo of Jason Helmick
    Jason Helmick

    Hi Tony!

    I would use the Makecert — I don't think that New-SelfSignedCertificate creates a certificate suitable for code signing, although it would seem to clone an existing one. The one it creates works fine for SSL testing. Perhaps someone on the forums can correct me. AS an example, this DOES NOT produce the intended result of a code signing certificate.

    New-SelfSignedCertificate -DnsName -CertStoreLocation cert:\LocalMachine\My
    $cert=Get-ChildItem -Path cert:\Localmachine\My | Where{$_.Subject -like "*company*"}
    Set-AuthenticodeSignature -FilePath C:\scripts\test.ps1 -Certificate $cert

    I've used MakeCert very successfully, and of course ADCS. Perhaps consider making a code signing cert with MAkeCert or ADCS, then cloning it when needed?

    Does that help?

  • #13176
    Profile photo of tony ward
    tony ward

    Thanks Jason,
    I'm glad you found it behaved the same way. I'll continue with makecert for now and wait for an update. Out of interest which type of codesigning certificates can be cloned for this? The ones bundled with the os or specific ca roots?

  • #13680
    Profile photo of Istvan Szarka
    Istvan Szarka


    I'm watching the same course on MVA and I enjoy it a LOT! You guys make those things so easy and fun to understand that it's a pleasure to learn!
    However, I'm running into the same problem, that is, I cannot create a self-signed cert.
    I've checked out the about_signing help file, where it says:

    "The New-SelfSignedCertificate cmdlet, introduced in the PKI module
    in Windows PowerShell 3.0, creates a self-signed certificate that is
    Appropriate for testing. For more information, see the help
    topic for the New-SelfSignedCertificate cmdlet."


    "To create a self-signed certificate in use the New-SelfSignedCertificate
    cmdlet in the PKI module. This module is introduced in Windows PowerShell
    3.0 and is included in Windows 8 and Windows Server 2012. For more
    information, see the help topic for the New-SelfSignedCertificate cmdlet.

    To create a self-signed certificate in earlier versions of Windows, use
    the Certificate Creation tool (MakeCert.exe). This tool is included in
    the Microsoft .NET Framework SDK (versions 1.1 and later) and in the
    Microsoft Windows SDK."

    I tried to run makecert.exe in cmd and PS, but I get an error saying that makecert isn't recognized as a command.
    I also checked the help file for New-SelfSignedCertificate, but it couldn't figure out anything.

    I'm able to create a cert with this comnad, but when I try to sign the script, I get this error:

    "Set-AuthenticodeSignature : Cannot bind argument to parameter 'Certificate' because it is null.
    At line:1 char:36
    + Set-AuthenticodeSignature test.ps1 $cert
    + ~~~~~
    + CategoryInfo : InvalidData: (:) [Set-AuthenticodeSignature], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.SetAuthenti

    I'm stuck.

  • #14813
    Profile photo of Abhimanyu rathore
    Abhimanyu rathore

    is it necessary to have AD to generate self signed-certificate ?

    here is the error am getting

    + CategoryInfo : NotSpecified: (:) [New-SelfSignedCertificate], InvalidStorePathException
    + FullyQualifiedErrorId : RuntimeException,Microsoft.CertificateServices.Commands.NewSelfSignedCertificateCommand

  • #15049
    Profile photo of Istvan Szarka
    Istvan Szarka

    I think it's not necessary. I can create self-signed certificates on my non-domain computer, the problem is, that I cannot sign a sript with them.

  • #32180
    Profile photo of Malcolm Gilbert
    Malcolm Gilbert

    I realize that this is a little late but I had the same problem as the OP.

    With a little experimentation I found that to use New-SelfSignedCertificate to generate a Codesigning certificate you need to use the -Type parameter.

    new-selfsigningcertificate -certstorelocation "cert:\CurrentUser\My" -DnsName........... -Type CodeSigning

    Then the dir -CodeSigning -outVariable etc. examples in the MVA video will work.

    Unfortunately the generated certificate causes an error "is not trusted by the trust provider". when added to the test.ps1 file

    If anyone knows a solution to this I would be grateful.

    I have managed to create a valid codesigning certificate by following the steps in an article by Scott Hanselman at
    I would still like to be able to do it entirely in PowerShell if that's possible though.

You must be logged in to reply to this topic.