Written by:David Aldridge
3/18/2016 3:05 PM 

Sometimes when you are setting up things like a webserver or SSTP vpn it can be useful to test with a self signed certificate before buying a real one.  This is how to create one in Windows.

First you need to create a template text file describing the certificate you want - it should look something like this:

; At least one value must be set in this section
Subject = "CN=mydomain.example"
KeyLength = 2048
KeyAlgorithm = RSA
HashAlgorithm = sha256
;MachineKeySet = true
RequestType = Cert
UseExistingKeySet=false ;this generates a new private key (for export)
Exportable = true ;this makes the private key exportable

CN should be set to either the DNS name of the machine, or the IP address if you will be using that to connect instead.

Then open up a command prompt and issue the following command :
certreq -new template.txt RequestFileOut

This will generate a self signed certificate in your personal user store.  You can view it using the cerificates snapin for your user account or from the command line:
certutil -store -user my

To be useful for either a webserver or SSTP connection you will need to export the certificate and import it into the local machine store.  Do the following at the command line:
certutil -exportpfx -user mydomain.example CERT.pfx NoChain

If you will be using it for SSTP, then import it into the personal store of the local machine using the certificates mmc snapin.
If you will be using it for IIS, then import it into the webserver store of the local machine using the certificates mmc snapin.
Finally you will also have to import it into the Trusted Root CA store of the local machine, which you will also need to do on each of the client machines you wish to connect with it.


Your name:
Your email:
(Optional) Email used only to show Gravatar.
Your website:
Security Code
Enter the code shown above in the box below
Add Comment  Cancel 
You must be logged in and have permission to create or edit a blog.