0

I'm trying to create a self signed certificate on win server 2012r2 machine using Powershell. The intent is to redirect traffic from HTTP to HTTPS.

a. do we always need a self signed Root certificate before we create a client certificate? If yes, how do we repurpose an existing self signed Root certificate?

b. If we are using the existing self signed Root certificate to create a client certificate, the Powershell commands that I see are not compatible with win2012R2. can someone share the version specific commands?

Anupriya Raghuram
  • 1
  • As it stands, this question is off topic for Stack Overflow. If you edit the question to both remove `a.` (I recommend asking this portion over at https://serverfault.com) and include the commands you tried that didn't work for `b.` (issues with commands used during scripting are *generally* [on topic here](https://stackoverflow.com/faq)) that should fit the requirements for a Stack Overflow question. – codewario Aug 23 '21 at 16:55
  • 2
    1) You probably don't need a "client certificate" as IIS HTTPS bindings require server certificates. 2) Upgrade PowerShell on your machine to the latest (PowerShell 7 for example) so that you can use latest commands. 3) Whether a self signed root certificate is needed depends on what commands you are using. – Lex Li Aug 23 '21 at 16:56
  • To add to this, I believe PowerShell 5.1 would be sufficient to use the cmdlets required for what OP is asking, but having PowerShell 7 installed is always a plus. – codewario Aug 23 '21 at 17:01
  • You can check the version of your powershell and install version 5.1 by referring to [this document](https://learn.microsoft.com/en-us/skypeforbusiness/set-up-your-computer-for-windows-powershell/download-and-install-windows-powershell-5-1). – Hury Shen Aug 25 '21 at 05:37

1 Answers1

0

You can create a self-signed certificate with this command in Server 2019

https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2019-ps

You can try the PSPKI module on server 2012R2

https://github.com/PKISolutions/PSPKI

it contains the command New-SelfSignedCertificateEx that creates a self-signed cert.

A bunch of other methods to create self signed certs: https://medium.com/the-new-control-plane/generating-self-signed-certificates-on-windows-7812a600c2d8

In IIS you need to bind the certificate to your website. The certificate will not be trusted by your clients because it is self-signed. However, you can import the self-signed certificate to your client's local certificate store.

In case you want to build a proper environment, a PKI is needed.
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

Situ
  • 84
  • 3