keytool -exportcert -alias androiddebugkey -keystore "C:\Users\Angie.android\debug.keystore" | "C:\OpenSSL\bin\openssl" sha1 -binary |"C:\OpenSSL\bin\openssl" base64
Related
Below, are the manual steps to generate a ca-cert.pem and respective client-cert.pem using Openssl (needed for Powershell MySql Connector). I would like to do the same thing automatically in the simplest way possible using only PowerShell 5; or, if not possible, with the help of a lightweight PowerShell Module.
1. Create key:
openssl genrsa 2048 > ca-key.pem
2. Create a ca-cert:
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
(enter respective attributes: i.e.,Country Name, State, Locality Name, etc.)
3. Create client certificate request:
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem
(enter same attributes as above)
4. Clean protected password:
openssl rsa -in client-key.pem -out client-key.pem
5. Verify client cert is OK:
openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
The closest I can get to doing this is create a self-signed certificate MyCert.cer file and export a respective MyCert.pfx file using the 3 lines below. Unfortunately, I don't think I'm even close. I'm hoping someone with more experience can help me to do this correctly in the simplest way possible.
$cert = New-SelfSignedCertificate -DnsName "CN=MyCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyLength 2048 -KeyAlgorithm "RSA" -KeyExportPolicy Exportable
Export-Certificate -Cert $cert -FilePath "C:\temp\MyCert.cer"
$cert | Export-PfxCertificate -FilePath "C:\temp\MyCert.pfx" -Password (ConvertTo-SecureString -String "password" -AsPlainText -Force)
I have the following code in Powershell:
$headerEncoded=openssl base64 -in header.json -A
$payloadEncoded=openssl base64 -in payload.json -A
$headerEncoded=$headerEncoded.Split('=')[0].Replace('+', '-').Replace('/', '_')
$payloadEncoded=$payloadEncoded.Split('=')[0].Replace('+', '-').Replace('/', '_')
$toBeSigned=$headerEncoded + "." + $payloadEncoded
$toBeSigned | Out-File -Encoding "UTF7" toBeSigned.txt -NoNewLine
openssl dgst -sha256 -sign jwtRS256.key toBeSigned.txt | openssl enc -base64 -A
In the last row in Powershell I try to sign the header + payload. However I get a different result in Powershell (wrong) as I run the same command in cmd.
Result Powershell:
3XGGUQX1wAHJ22dbOuJd25Bgn0wzRtl/9ZjMos+6lOuZM7a2OH1iR8Xe6R5PrSoObgREuXui9fOkxinHOD1FIwdudslAgEySYIJ67XlDswACPOVgdKAtfSTqMO0NCtCrSJs1XuikMkC9qrTkj5swcIK3HmG1hstvKYYTLh7U9/Bqrsn6jcNG/JQyaUVOiMdm9z9b/N7+ro3dg05ieFdR8o9gyhsXaRbqjdZvL53bSbs8CUdxpZFs3i+jQQO9PYZxZzX6/HzN6A+o/s+MhNnMYu75+mb4L7JQ2/Utzqp3xbtYKWe9WGvWd0uLN3aCmjPRHvtHk69Wl1QvMv5Nm0gT+p9fbZkXSPLREz/EXJpejbcYs8K9OX3iDoFLySfz8oLozwVstiaLngVO4K04cXcb2lMIHfD/z91buNw05/Cm0i7BSSx1leh5QTZSdwd89q6UkanNsok2HzBl9J9pBbOHsz59XXWk1GQUSBXWd+WsASaQML/IiIwYXWfxKxgooTPsJq3ezSXCDQp0UiX7erqUa0E3Eu3vXUjKbMZKljlKPCk5ewWK3LV4wrJpnKSIYBvuge0mag0KyBg84VrwRA0KABAQ8Qwss8bnaMVrOTBDk9kULRqDooz8ECivBfZzKr7Zy0l1UhMCOAWO8NfDoxKUGcP65qCInIR/AfHGAlV72EfpevZkDQo=
Result CMD:
3XGGUQX1wAHJ22dbOuJd25Bgn0wzRtl/9ZjMos+6lOuZM7a2OH1iR8Xe6R5PrSoObgREuXui9fOkxinHOD1FIwdudslAgEySYIJ67XlDswACPOVgdKAtfSTqMO0K0KtImzVe6KQyQL2qtOSPmzBwgrceYbWGy28phhMuHtT38GquyfqNw0b8lDJpRU6Ix2b3P1v83v6ujd2DTmJ4V1Hyj2DKGxdpFuqN1m8vndtJuzwJR3GlkWzeL6NBA709hnFnNfr8fM3oD6j+z4yE2cxi7vn6ZvgvslDb9S3OqnfFu1gpZ71Ya9Z3S4s3doKaM9Ee+0eTr1aXVC8y/k2bSBP6n19tmRdI8tETP8Rcml6Ntxizwr05feIOgUvJJ/PygujPBWy2JoueBU7grThxdxvaUwgd8P/P3Vu43DTn8KbSLsFJLHWV6HlBNlJ3B3z2rpSRqc2yiTYfMGX0n2kFs4ezPn1ddaTUZBRIFdZ35awBJpAwv8iIjBhdZ/ErGCihM+wmrd7NJcINdFIl+3q6lGtBNxLt711IymzGSpY5SjwpOXsFity1eMKyaZykiGAb7oHtJmoNyBg84VrwRAoAEBDxDCyzxudoxWs5MEOT2RQtGoOijPwQKK8F9nMqvtnLSXVSEwI4BY7w18OjEpQZw/rmoIichH8B8cYCVXvYR+l69mQ=
Content toBeSigned.txt:
ew0KICAiYWxnIjogIlJTMjU2IiwNCiAgImtpZCI6ICJ0ZXN0LWF1dG9tYXRpb24iDQp9.ew0KICAiZ2l2ZW5fbmFtZSI6ICJOaWNrIiwNCn0
I believe the problem resides with the pipe | in the last line of your script. In essence, the encoding is getting messed-up.
Here's a potential quick fix for the last line:
$toBeEncoded=openssl dgst -sha256 -sign jwtRS256.key toBeSigned.txt
$toBeEncoded | Out-File -Encoding "Default" toBeEncoded.txt -NoNewLine
openssl enc -base64 -A -in toBeEncoded.txt
If you want, you can add an -out jwtEncoded.txt at the end of the last openssl line here.
I need to create a certificate file, that should be in PKCS#8 format with DER encoding. I will use this certificate for encrypting/decrypting the SAML Assertions in AD B2C.
I have tried using the OpenSSL commands, but unable to achieve it.
Can someone please provide any steps or references to create the certificate file? I am using windows environment.
For B2C IEF Policy keys, you can export a certificate file as .pfx and upload the same on the portal.
You can check the doc here for the details:https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers#11-prepare-a-self-signed-certificate
Also you can use PowerShell to create and export the .pfx:
New-SelfSignedCertificate `
-KeyExportPolicy Exportable `
-Subject "CN=yourappname.yourtenant.onmicrosoft.com" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-KeyUsage DigitalSignature `
-NotAfter (Get-Date).AddMonths(12) `
-CertStoreLocation "Cert:\CurrentUser\My"
$pwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
$thumbprint = (Get-ChildItem -Path cert:\CurrentUser\My\ | Where-Object{$_.Subject -eq "CN=yourappname.yourtenant.onmicrosoft.com"}).Thumbprint
$cert = "cert:\CurrentUser\My\$thumbprint"
Get-ChildItem -Path cert:\CurrentUser\My\$thumbprint | Export-PfxCertificate -FilePath C:\temp\B2CCert.pfx -Password $pwd
I already tried this in the lab and this PowerShell script would help you in exporting the newly created Self-Signed Certificate in .pfx format in the location "C:\temp\B2CCert.pfx".
You can just use the .pfx format certificate that got created above.
Do let us know if this works.
The problem
Create and install temporary certificates to sign
code in my development environment.
This has to be done with an unattended
script (without user interaction).
The legacy script
Right now, I have this script that creates the certificates using the deprecated tool makecert:
makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer
certutil -user -addstore Root MyCA.cer
certutil -addstore Root MyCA.cer
makecert -pe -n "CN=My Company" -a sha256 -cy end -sky signature -ic MyCA.cer -iv MyCA.pvk -sv MySPC.pvk MySPC.cer
pvk2pfx.exe -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx
certutil -f -user -p "" -importPFX MySPC.pfx
The above script creates 2 certificates:
MyCA.cer: A self-signed root authority certificate.
MySPC.cer: The cerificate to sign my code (signed with MyCA.cer).
This script also opens dialog boxes requesting a user password and user confirmation to install the certificate in the Trusted Root Certification Authorities Store. I need this to be done without user interaction.
The new script
Following this instructions, I rewrited the legacy script with powershell cmdlet New-SelfSignedCertificate. This is what I tried:
# Create a self-signed root authority certificate.
$rootCert = New-SelfSignedCertificate -KeyExportPolicy Exportable -CertStoreLocation cert:\CurrentUser\My -DnsName "Development Root CA" -NotAfter (Get-Date).AddYears(5) -KeyusageProperty All -KeyUsage CertSign,CRLSign,DigitalSignature
# Export the root authority private key.
[System.Security.SecureString] $password = ConvertTo-SecureString -String "passwordx" -Force -AsPlainText
[String] $rootCertPath = Join-Path -Path cert:\CurrentUser\My\ -ChildPath "$($rootcert.Thumbprint)"
Export-PfxCertificate -Cert $rootCertPath -FilePath "MyCA.pfx" -Password $password
Export-Certificate -Cert $rootCertPath -FilePath "MyCA.crt"
# Create a "MySPC" certificate signed by our root authority.
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "MySPC" -TextExtension #("2.5.29.19={text}false") -KeyLength 2048 -Signer $rootCert -Type CodeSigningCert -KeyUsage None
# Save the signed certificate with private key into a PFX file and just the public key into a CRT file.
[String] $certPath = Join-Path -Path cert:\LocalMachine\My\ -ChildPath "$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -FilePath MySPC.pfx -Password $password
Export-Certificate -Cert $certPath -FilePath "MySPC.crt"
# Add MyCA certificate to the Trusted Root Certification Authorities.
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.import("MyCA.pfx", $password, "Exportable,PersistKeySet")
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::Root,
"localmachine"
)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
# Import certificate.
Import-PfxCertificate -FilePath MySPC.pfx cert:\CurrentUser\My -Password $password
The new script creates and install MyCA.cer and MySPC.cer without user interaction but these certificates are not the same than the previous ones. For example, When I look at MyCA.cer, the intended purposes are:
Proves your identity to a remote computer
Ensures the identity of a remote computer
All issuance policies
Rather than the expected:
All issuance policies
All application policies
Other problems
With makecert the certificate is created with the Basic Constraint:
Subject Type=CA, but I cannot create such constraint using
New-SelfSignedCertificate.
Finally, the MySPC.cer is unable to sign my code, it fails with an
error like "not valid for the selected purpose".
The Question
How can I generate the same certificates than the legacy script but in unattended way?
Thanks in advance.
EDIT
With changes proposed by Mötz, I'm able to sign but the error is raised in the validation. These are the commands:
Sign command
signtool.exe sign /v /a c:\git\...\Win32\det.dll
The following certificate was selected:
Issued to: XXXXXXXXXX
Issued by: My CA
Expires: Fri Dec 20 20:18:26 2019
SHA1 hash: 0440F2B76E5BBF1F9CB4D24EF5E5AA54F4F4C2E1
Done Adding Additional Store
Successfully signed: c:\git\...\Win32\det.dll
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Validation command
signtool.exe verify /pa /v c:\git\...\Win32\det.dll
Signature Index: 0 (Primary Signature)
Hash of file (sha1): E4EC8126CC9510610AF4FC72CC8722B81B171AE1
Signing Certificate Chain:
Issued to: My CA
Issued by: My CA
Expires: Thu Dec 21 01:14:52 2023
SHA1 hash: DA5B1972016D66294886CA3EDA2D4FEF245D7337
Issued to: XXXXXXXXX
Issued by: My CA
Expires: Sat Dec 21 01:24:53 2019
SHA1 hash: 3316486BAF0A53C1C3227F1E522FF776B6F32CC9
File is not timestamped.
SignTool Error: The signing certificate is not valid for the requested usage.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
The solution
The accepted solution includes all key things to resolve the problem (a huge thanks to Mötz). I'm including my final script with minor changes just to help others.
#
# This script will create and install two certificates:
# 1. `MyCA.cer`: A self-signed root authority certificate.
# 2. `MySPC.cer`: The cerificate to sign code in
# a development environment (signed with `MyCA.cer`).
#
# No user interaction is needed (unattended).
# Powershell 4.0 or higher is required.
#
# Define the expiration date for certificates.
$notAfter = (Get-Date).AddYears(10)
# Create a self-signed root Certificate Authority (CA).
$rootCert = New-SelfSignedCertificate -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My -DnsName "My CA" -NotAfter $notAfter -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}CA=1") -KeyusageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature
# Export the CA private key.
[System.Security.SecureString] $password = ConvertTo-SecureString -String "passwordx" -Force -AsPlainText
[String] $rootCertPath = Join-Path -Path cert:\CurrentUser\My\ -ChildPath "$($rootcert.Thumbprint)"
Export-PfxCertificate -Cert $rootCertPath -FilePath "MyCA.pfx" -Password $password
Export-Certificate -Cert $rootCertPath -FilePath "MyCA.crt"
# Create an end certificate signed by our CA.
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "My Company Name" -NotAfter $notAfter -Signer $rootCert -Type CodeSigningCert -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}CA=0&pathlength=0")
# Save the signed certificate with private key into a PFX file and just the public key into a CRT file.
[String] $certPath = Join-Path -Path cert:\LocalMachine\My\ -ChildPath "$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -FilePath "MySPC.pfx" -Password $password
Export-Certificate -Cert $certPath -FilePath "MySPC.crt"
# Add MyCA certificate to the Trusted Root Certification Authorities.
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.import("MyCA.pfx", $password, "Exportable,PersistKeySet")
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::Root,
"localmachine"
)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
# Remove MyCA from CurrentUser to avoid issues when signing with "signtool.exe /a ..."
Remove-Item -Force "cert:\CurrentUser\My\$($rootCert.Thumbprint)"
# Import certificate.
Import-PfxCertificate -FilePath MySPC.pfx cert:\CurrentUser\My -Password $password -Exportable
I just tested your code with the signtool.exe coming from my Visual Studio 2017 installation and things seems to work.
So I would really like to see the code / command you use for signing the files. Even more I would like to see the real output from the error that you are seeing. Could you try your signing process manually / by hand at first, so we are sure that we are focusing on the correct issue?
With that said, I spent some time digging around to answer some of the other questions you had.
Solving the first part of you wanting to only see
All issuance policies
All application policies
This is solved with the TextExtension parameter:
-TextExtension #("2.5.29.37={text}1.3.6.1.4.1.311.10.12.1")
Solving the part that you wanted the
Subject Type = CA
This is solved with the TextExtension parameter:
-TextExtension #("2.5.29.19={text}CA=1&pathlength=3")
The path length is used to limit how many levels of children that can use the certificate. Please read more here. The value 3 is just something is used while testing.
We then need to combine those 2 different TextExtensions entries:
-TextExtension #("2.5.29.37={text}1.3.6.1.4.1.311.10.12.1", "2.5.29.19={text}CA=1&pathlength=3")
Which will have us write the updated script like this
$rootCert = New-SelfSignedCertificate -KeyExportPolicy Exportable -CertStoreLocation cert:\CurrentUser\My -DnsName "Development Root CA" -NotAfter (Get-Date).AddYears(5) -TextExtension #("2.5.29.37={text}1.3.6.1.4.1.311.10.12.1", "2.5.29.19={text}CA=1&pathlength=3") -KeyusageProperty All -KeyUsage CertSign,CRLSign,DigitalSignature
# Export the root authority private key.
[System.Security.SecureString] $password = ConvertTo-SecureString -String "passwordx" -Force -AsPlainText
[String] $rootCertPath = Join-Path -Path cert:\CurrentUser\My\ -ChildPath "$($rootcert.Thumbprint)"
Export-PfxCertificate -Cert $rootCertPath -FilePath "MyCA.pfx" -Password $password
Export-Certificate -Cert $rootCertPath -FilePath "MyCA.crt"
# Create a "MySPC" certificate signed by our root authority.
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "MySPC" -Signer $rootCert -Type CodeSigningCert
# Save the signed certificate with private key into a PFX file and just the public key into a CRT file.
[String] $certPath = Join-Path -Path cert:\LocalMachine\My\ -ChildPath "$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -FilePath MySPC.pfx -Password $password
Export-Certificate -Cert $certPath -FilePath "MySPC.crt"
# Add MyCA certificate to the Trusted Root Certification Authorities.
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.import("MyCA.pfx", $password, "Exportable,PersistKeySet")
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::Root,
"localmachine"
)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
# Import certificate.
Import-PfxCertificate -FilePath MySPC.pfx cert:\CurrentUser\My -Password $password
But like I stated earlier, your code seems to generate the correct certificates because I was able to use the certificate it generated and sign an .net EXE file with it.
Before signing
Signing
SignTool sign /n "MySPC" 2LCS.exe
After signing
Update based on the new information
You need to specify the /pa switch on your verify command.
https://knowledge.digicert.com/solution/SO21771.html
https://learn.microsoft.com/en-us/windows/desktop/seccrypto/signtool
Question is if you would see the same with the makecert certificates?
Updated with working code
Your focus on the properties of the certificate got me down the wrong road. Based on a discussion from here I learned that we might need to have it created as a Class 3 code signing. I removed the 1.3.6.1.4.1.311.10.12.1 EKU extension and replaced it with 1.3.6.1.5.5.7.3.3. Please see below code example.
$rootCert = New-SelfSignedCertificate -KeyExportPolicy Exportable -CertStoreLocation cert:\CurrentUser\My -DnsName "Development Root CA" -NotAfter (Get-Date).AddYears(5) -TextExtension #("2.5.29.19={text}CA=1&pathlength=3", "2.5.29.37={text}1.3.6.1.5.5.7.3.3") -KeyusageProperty All -KeyUsage CertSign,CRLSign,DigitalSignature #-Type CodeSigningCert
# Export the root authority private key.
[System.Security.SecureString] $password = ConvertTo-SecureString -String "passwordx" -Force -AsPlainText
[String] $rootCertPath = Join-Path -Path cert:\CurrentUser\My\ -ChildPath "$($rootcert.Thumbprint)"
Export-PfxCertificate -Cert $rootCertPath -FilePath "MyCA.pfx" -Password $password
Export-Certificate -Cert $rootCertPath -FilePath "MyCA.crt"
# Create a "MySPC" certificate signed by our root authority.
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "MySPC" -Signer $rootCert -Type CodeSigningCert
# Save the signed certificate with private key into a PFX file and just the public key into a CRT file.
[String] $certPath = Join-Path -Path cert:\LocalMachine\My\ -ChildPath "$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -FilePath MySPC.pfx -Password $password
Export-Certificate -Cert $certPath -FilePath "MySPC.crt"
# Add MyCA certificate to the Trusted Root Certification Authorities.
$pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
$pfx.import("MyCA.pfx", $password, "Exportable,PersistKeySet")
$store = new-object System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::Root,
"localmachine"
)
$store.open("MaxAllowed")
$store.add($pfx)
$store.close()
# Import certificate.
Import-PfxCertificate -FilePath MySPC.pfx cert:\CurrentUser\My -Password $password
I ran the following signing command:
And after that I ran the verification command:
With that in place I believe that you should have a working solution. Please test it, verify and then extend it to include your timestamp signing as well.
Installation of certificate on cert store do by Certificate Propagation service.
So you can scan(Scan API) Certificate Propagation service and develop like it.
You can use API Monitor.
Theres a tool in powershell called New-SelfSignedCertificate that we can create selfsigned certificates for CA proposes.
But i just cant figure out if its possible to create child certificates issued/signed by that certificate created before by this New-SelfSignedCertificate. Actually i can do that with makecert.exe, but i would like to script it in powershell.
For example, in makecert.exe, i execute these commands:
1)Creating the CA cert: **makecert.exe** -sk RootCA -sky signature -pe -n CN=ca.com -r -sr LocalMachine -ss Root RootCA
2)Creating another cert for server signed by above CA: **makecert.exe** -sk server -sky exchange -pe -n CN=server.com -ir LocalMachine -is Root -ic RootCA -sr LocalMachine -ss My server.com
In powershell i just know to create a CA, using that command:
New-SelfSignedCertificate -DnsName "ca.com" -CertStoreLocation cert:Localmachine/My
But, how to create another cert signed by that one above?
Other thing, when I try to put the -CertStoreLocation = cert:Localmachine/**Root** i get an error message saying that i can only create a certificate in MY store (i already executing as administrator)
Thanks.
I am so sorry to be late to the party, I'm well aware it's been two years since this question was asked.
However, to share with those who may find this entry when searching - there is now a way (documented on this excellent blog by David Christiansen)
In summary,
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "Your root CA name here"
Note down the thumbprint returned from this command.
Next, create a secure password and export the root CA into a file
PowerShell
$pwd = ConvertTo-SecureString -String "Please-Use-A-Really-Strong-Password" -Force -AsPlainText
Export-PfxCertificate -cert cert:\localMachine\my\[CA thumbprint] -FilePath root-authority.pfx -Password $pwd
Export-Certificate -Cert cert:\localMachine\my\[CA thumbprint] -FilePath root-authority.crt
Note that the crt file does not need a password as it is the public component of the certificate.
Now load the signing certificate into memory and create a certificate signed by this cert, exporting it with a password.
$rootcert = ( Get-ChildItem -Path cert:\LocalMachine\My\[CA Thumbprint] )
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "Your DNS Name Here" -Signer $rootcert
Note down the thumbprint returned from the self-signed cert command to export it.
$pwd2 = ConvertTo-SecureString -String "Please-Use-A-Really-Strong-Password" -Force -AsPlainText
Export-PfxCertificate -cert cert:\localMachine\my\[Cert Thumbprint] -FilePath gateway-certificate.pfx -Password $pwd2
Export-Certificate -Cert cert:\localMachine\my\[Cert Thumbprint] -FilePath gateway.crt
it seems cumbersome to note the hashes of the certificates manually. it's simpler to do it like this:
# create root zertificate
$rootCert = New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName "Root CA Name";
# export root certificate
[System.Security.SecureString]$rootcertPassword = ConvertTo-SecureString -String "znft5yeL34pxCu3nATlt1gMazX0NM8FVvr9yZOhcS79yJm8kUVjhA17UuWkQOb0u" -Force -AsPlainText;
[String]$rootCertPath = Join-Path -Path 'cert:\localMachine\my\' -ChildPath "$($rootcert.Thumbprint)";
Export-PfxCertificate -Cert $rootCertPath -FilePath 'root-authority.pfx' -Password $rootcertPassword; # private key
Export-Certificate -Cert $rootCertPath -FilePath 'root-authority.crt'; # public key
# use root certificate to sign gateway certificate
$gatewayCert = New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName "*.example.com","*.example.org" -Signer $rootCert;
# export gateway certificate
[System.Security.SecureString]$gatewayCertPassword = ConvertTo-SecureString -String "Xc8FlsHq8hmLnKXk4AaD8ug6HYH2dpSWLjwg9eNeDIK103d3akbd0OccgZZ6bL48" -Force -AsPlainText;
[String]$gatewayCertPath = Join-Path -Path 'cert:\localMachine\my\' -ChildPath "$($gatewayCert.Thumbprint)";
Export-PfxCertificate -Cert $gatewayCertPath -FilePath gateway-certificate.pfx -Password $gatewayCertPassword; # private key
Export-Certificate -Cert $gatewayCertPath -FilePath gateway.crt; # public key
Also, for an prodution environment, you probably want to use ACMESharp to create free TLS certificates.